Loading…
Attending this event?
View analytic
Wednesday, February 20 • 14:00 - 15:30
API access control

Sign up or log in to save this to your schedule and see who's attending!

In this opinionated live-coding session we show how to design and implement access control for APIs.


Abstract
In this opinionated live-coding session we show how to design and implement access control for APIs. API keys are an easy and commonly used technique. However, the security guarantees afforded are minimal. JSON Web Tokens (JWT) are much more granular and need not rely on shared keys. Since token validation and authorization logic are cross-cutting concerns typically requiring distinct skills, it is desirable to separate them from the business logic implementing resources to be accessed.

In this session, we implement the latter on a FaaS (Function as a Service) platform with an API Gateway acting as the guard, a.k.a. Policy Enforcement Point (PEP), in a serverless architecture. We illustrate the use of an OAuth authorization server in combination with JWTs to secure API access from a Single Page Application (SPA).


This session is intended for anyone building, designing, securing, or consuming remote APIs.

Speakers
MB

Michael Boeynaems

Independent cyber security expert
JP

Johan Peeters

Independent software architect


Wednesday February 20, 2019 14:00 - 15:30