This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, March 3 • 13:40 - 15:10
AuthN/Z for REST Services

Sign up or log in to save this to your schedule and see who's attending!

REST services are very popular. Unfortunately, many are not secure. In this session, we identify access control requirements for a range of application types and discuss how these can be delivered with current standards and tools.
The presentation is interactive; we discuss the trade-offs when implementing typical requirements.
OpenID Providers authenticate end users and issue a security token called an ID Token, containing a set of claims about the attributes of the caller. We will be dissecting the OpenID Connect ID Tokens, encoded as JSON Web Tokens (JWT).
Even though OIDC and OAuth are supplanting older authN/Z standards for web services such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language), they will have to co-exist for a long time. Many components offering OIDC or OAuth interfaces also work with SAML or XACML, which define interesting roles such as Identity Provider (IdP), Policy Enforcement Point (PEP) and Policy Decision Point (PDP). So it is natural to ask whether these roles are relevant in a REST architecture as well and, if so, how they map on OIDC and OAuth roles.
This session builds on Maarten Decat's Access Control lecture and Jim Manico's Introduction to OAuth 2.0 Security. 

avatar for Johan Peeters

Johan Peeters

Johan Peeters is an independent software architect. He serves both large companies and SMEs and has addressed software development issues ranging from product definition to acceptance testing. He is the founder of secappdev.org.

Friday March 3, 2017 13:40 - 15:10
Room: Lemaire

Attendees (6)