Skip to content

A hands-on AppSec fundamentals workshop where we explore protecting API's and Web apps

License

Notifications You must be signed in to change notification settings

equinor/appsec-fundamentals-authn-authz-cs

Repository files navigation

Application Security Fundamentals - Authn & Authz

License PRs Welcome Contributor Covenant

This is a hands-on AppSec fundamentals workshop where we explore protecting API's and Web apps. We look at authentication (authn), authorization (authz) and friends. This version of the workshop is the Codespaces edition. Using you browser we run all exercises in a all inclusive virtual environment.

In the workshop participant will get to know key technologies such as OAuth2, OpenID Connect (OIDC) and Microsoft Entra ID. Our journey will take us from the rfc specifications, to manual request, to coding, to using frameworks, to debugging and to testing. After the workshop participants should have a pretty good understanding of the mechanics behind the scenes as well as relevant security/privacy concerns.

  • The workshop level is intermediate/advanced.
  • The workshop is usually executed as a virtual session (using MS Teams or similar)
  • The workshop will be organized as 2 full days sessions
  • It recommended that more than one person participate from a team.
  • During the workshop we expect to spark a high number of relevant discussions. These discussion should naturally continue in the teams after the workshop.

Workshop outline

  • Intro, objectives
  • What problem are we trying to solve?
  • The basics of Authentication and Authorization (part 1)
  • OAuth2 Code Grant Raw Style
  • Getting access tokens using code
  • The basics of Authentication and Authorization (part 2)
  • Exploring Scope
  • Exploring Frameworks for Authentication and Authorization
  • Exploring Sessions and session management
  • Exploring Common authorization scenarios in Equinor
  • Exploring Refresh tokens
  • Exploring The Implicit grant for Native, Mobile, SPA
  • Exploring PKCE for Native, Mobile, SPA
  • Exploring Web API's protection
  • Exploring Web API chaining scenarios (OBO)

Exercise index

  1. Authorization Code Grant Raw Style
  2. Getting an access token using code
  3. Scope
  4. Using Auth Frameworks
  5. Sessions
  6. Common Authorization Scenarios
  7. Refresh tokens
  8. Implicit grant
  9. Auth Code Grant with PKCE
  10. Protecting Web Api's
  11. Protecting Web Api's O-B-O

Documentation and Slide deck

Most of the topics and exercises have documentation as part of the exercise. We use a slide deck for some parts. The docs/readme shows you how to load the docs in your local environment. Slides are also served using Github Pages at https://equinor.github.io/appsec-fundamentals-authn-authz-cs

Support documents

Workshop Preparations and Pre-Requisites

To enable a good flow and outcome of the workshop it is vital to come prepared. Preparations and pre-requisites are defined in Support/workshop_preparations

Non Equinor adaptions ⚡️

Some of the material in the workshop may not make sense for all environments and may be a bit specific for Equinor. We have marked this with a ⚡️ which indicate that it most likely will have to be adapted to your context.