Adam Hopkins - Overcoming access control in web APIs

Security

Learn how to overcome access control in web APIs by considering authentication and authorization separately, using tokens and header-based security measures, and implementing structured scopes and protection methods to ensure secure and controlled access.

Key takeaways
  • Consider authentication and authorization separately; authentication is about “who is this person?”, while authorization is about “are they allowed to do this?”
  • Use tokens to store authentication information, but avoid storing sensitive information in cookies
  • Browsers are a problem because they can’t handle security features like HTTP-only cookies; use header-based security measures instead
  • JWTs are a common way to handle authentication, breaking into three parts: namespace, action, and signature
  • Use structured scopes to handle authentication and authorization; structured scopes are a way to define permissions without storing them in a database
  • Don’t rely on cookies for authentication; instead, use header-based security measures
  • Use a protection method to validate tokens and prevent unauthorized access
  • Remember that authentication failure is a 401 status code, and authorization failure is a 403 status code

More talks

Pere Urbon-Bayes – Apache Kafka: advice from the trenches or how to successfully fail!

Adam Števko - Journey to Securing the Cloud: Detecting and Fixing Misconfigurations at Datadog

On the Road to TDE: David Christensen & Stephen Frost - PGCon 2023

The Secrets of Advanced OAuth 2.0 • Aaron Parecki & Eric Johnson

API World Conference: Building the Nervous System of the Enterprise

Staying Safe and Secure with Angular | Alisa Duncan | ng-conf Webinar

Core Escalation: Unleashing the Power of Cross-Core Attacks on Heterogeneous System

Battle of the frameworks : Quarkus vs SpringBoot by Giorgos Andrianakis & Christos Sotiriou