diff --git a/docs/content/images/rfc6479_abstract_flow_alternative.png b/docs/content/images/rfc6479_abstract_flow_alternative.png deleted file mode 100644 index 83f61ab..0000000 Binary files a/docs/content/images/rfc6479_abstract_flow_alternative.png and /dev/null differ diff --git a/docs/content/images/rfc6479_abstract_flow.png b/docs/content/images/rfc6749_abstract_flow.png similarity index 100% rename from docs/content/images/rfc6479_abstract_flow.png rename to docs/content/images/rfc6749_abstract_flow.png diff --git a/docs/content/images/rfc6479_code_grant.png b/docs/content/images/rfc6749_code_grant.png similarity index 100% rename from docs/content/images/rfc6479_code_grant.png rename to docs/content/images/rfc6749_code_grant.png diff --git a/docs/content/security_resources.md b/docs/content/security_resources.md index d0ec9c7..3efc29b 100644 --- a/docs/content/security_resources.md +++ b/docs/content/security_resources.md @@ -15,8 +15,3 @@ * [OWASP Application Security Verification Standard](https://owasp.org/www-project-application-security-verification-standard/) * [OWASP Software Assurance Maturity Model](https://owaspsamm.org/) ---- - -## Going deeper into A&A? - -![OAuth2 in Action](content/images/oauth2inaction.jpeg) diff --git a/docs/content/the_basics_of_aanda_1.md b/docs/content/the_basics_of_aanda_1.md index 7789ef3..e547717 100644 --- a/docs/content/the_basics_of_aanda_1.md +++ b/docs/content/the_basics_of_aanda_1.md @@ -78,7 +78,7 @@ Many scenarios will require __your__ app/api's to play multiples roles, often in [RFC6749 1.2](https://datatracker.ietf.org/doc/html/rfc6749#section-1.2) -![Abstract flow](content/images/rfc6479_abstract_flow.png) +![Abstract flow](content/images/rfc6749_abstract_flow.png)
@@ -125,11 +125,11 @@ Many scenarios will require __your__ app/api's to play multiples roles, often in --- -## The Authorization Code Grant
[rfc6479 - 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) +## The Authorization Code Grant
[rfc6749 - 4.1](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1) | | | | - | - | -| ![Code Grant](content/images/rfc6479_code_grant.png) | ![Code Grant](content/images/actors.jpg) | +| ![Code Grant](content/images/rfc6749_code_grant.png) | ![Code Grant](content/images/actors.jpg) | --- diff --git a/docs/content/wrap-up.md b/docs/content/wrap-up.md index 0abea2b..a015bc8 100644 --- a/docs/content/wrap-up.md +++ b/docs/content/wrap-up.md @@ -6,6 +6,7 @@ * Microsoft Entra ID App Registrations * Remove unused Github CodeSpaces +* Remove unused Github CodeSpace Secrets --- diff --git a/ex-02/doc/preparing_the_environment.md b/ex-02/doc/preparing_the_environment.md index d07a227..d3c1b7e 100644 --- a/ex-02/doc/preparing_the_environment.md +++ b/ex-02/doc/preparing_the_environment.md @@ -26,4 +26,4 @@ npm test ## --Now You-- * Do the steps -* When done post the time it took to run the tests to the workshop Slack channel +* When done post the time it took to run the tests to the workshop Slack channel ⚡️ diff --git a/ex-04/doc/exploring_oauth2_frameworks.md b/ex-04/doc/exploring_oauth2_frameworks.md index 183e0b0..2f589eb 100644 --- a/ex-04/doc/exploring_oauth2_frameworks.md +++ b/ex-04/doc/exploring_oauth2_frameworks.md @@ -12,7 +12,7 @@ The purpose of this section is to list and perhaps discuss a few frameworks for ## --Now You-- * Spend a few minutes browsing and make yourself familiar with the resources -* Drop a message on the course slack channel state which authentication library you are using today (if any) +* Drop a message on the course slack channel state which authentication library you are using today (if any) ⚡️ ## --Discuss security issues and good practices-- diff --git a/ex-04/doc/preparing_the_environment.md b/ex-04/doc/preparing_the_environment.md index 03a7918..c3fb77e 100644 --- a/ex-04/doc/preparing_the_environment.md +++ b/ex-04/doc/preparing_the_environment.md @@ -22,4 +22,4 @@ Steps: ## --Now You-- * Do the steps -* When done post the output the last two lines of the **npm test** command to the course Slack channel +* When done post the output the last two lines of the **npm test** command to the course Slack channel ⚡️ diff --git a/ex-06/doc/scenario_2.md b/ex-06/doc/scenario_2.md index 87d30a5..e573440 100644 --- a/ex-06/doc/scenario_2.md +++ b/ex-06/doc/scenario_2.md @@ -40,7 +40,7 @@ Steps: * You may have to start / stop the back-end between changes. * Do the steps above * Login to your application and figure out how to observe the changes (Hint: "id token") -* When done - post how many AD groups you are member of into the course Slack channel. +* When done - post how many AD groups you are member of into the course Slack channel. ⚡️ ### --Further experiments-- (🥸) diff --git a/ex-10/doc/the_scenario.md b/ex-10/doc/0_the_scenario.md similarity index 100% rename from ex-10/doc/the_scenario.md rename to ex-10/doc/0_the_scenario.md diff --git a/ex-10/doc/registering_api_in_azure_ad.md b/ex-10/doc/1_registering_api_in_azure_ad.md similarity index 97% rename from ex-10/doc/registering_api_in_azure_ad.md rename to ex-10/doc/1_registering_api_in_azure_ad.md index b6b20e5..b31cae0 100644 --- a/ex-10/doc/registering_api_in_azure_ad.md +++ b/ex-10/doc/1_registering_api_in_azure_ad.md @@ -36,5 +36,5 @@ Steps: ## --Now You-- * Do the steps above -* When done; post a message to the course Slack channel and include your api's scope (api://..../...) +* When done; post a message to the course Slack channel and include your api's scope (api://..../...) ⚡️ diff --git a/ex-10/doc/exploring_the_client_code.md b/ex-10/doc/2_exploring_the_client_code.md similarity index 100% rename from ex-10/doc/exploring_the_client_code.md rename to ex-10/doc/2_exploring_the_client_code.md diff --git a/ex-10/doc/exploring_the_api_code.md b/ex-10/doc/3_exploring_the_api_code.md similarity index 100% rename from ex-10/doc/exploring_the_api_code.md rename to ex-10/doc/3_exploring_the_api_code.md diff --git a/ex-10/doc/configure_client_and_api.md b/ex-10/doc/4_configure_client_and_api.md similarity index 100% rename from ex-10/doc/configure_client_and_api.md rename to ex-10/doc/4_configure_client_and_api.md diff --git a/ex-10/doc/execute_client_and_api.md b/ex-10/doc/5_execute_client_and_api.md similarity index 100% rename from ex-10/doc/execute_client_and_api.md rename to ex-10/doc/5_execute_client_and_api.md diff --git a/ex-10/doc/swapping_tech_for_episodes_api.md b/ex-10/doc/6_swapping_tech_for_episodes_api.md similarity index 100% rename from ex-10/doc/swapping_tech_for_episodes_api.md rename to ex-10/doc/6_swapping_tech_for_episodes_api.md diff --git a/ex-10/doc/protecting_apis.md b/ex-10/doc/7_protecting_apis.md similarity index 98% rename from ex-10/doc/protecting_apis.md rename to ex-10/doc/7_protecting_apis.md index 249549e..a082a8c 100644 --- a/ex-10/doc/protecting_apis.md +++ b/ex-10/doc/7_protecting_apis.md @@ -60,7 +60,7 @@ There are other security measures in the API implementation that we don't discus * Document APIs using Swagger or OpenAPI spec * Create security related test * Use [OWASP ASVS](https://owasp.org/www-project-application-security-verification-standard/) as an guide line for testing and secure coding practices. - * Apply tools to test your API's. (Fuzzers, OWASP ZAP etc..) + * Apply tools to test your API's. (Fuzzers, ZAP etc..) * Test from the outside (integration, end-to-end) (utilizing all components?) * Consult OWASP Top 10's * [API](https://owasp.org/www-project-api-security/) diff --git a/ex-10/readme.md b/ex-10/readme.md index e3fb5d4..ee91a6c 100644 --- a/ex-10/readme.md +++ b/ex-10/readme.md @@ -4,11 +4,11 @@ In this exercise we will investigate how to protect web api's using OAuth2. We w ## Outline -* [The Scenario](doc/the_scenario.md) -* [Registering the API in Microsoft Entra ID](doc/registering_api_in_azure_ad.md) -* [Exploring the Client Code](doc/exploring_the_client_code.md) -* [Exploring the API Code](doc/exploring_the_api_code.md) -* [Configure the Client and the API](doc/configure_client_and_api.md) -* [Execute the Client and the API](doc/execute_client_and_api.md) -* [Swapping from Node to Python on the Episodes API](doc/swapping_tech_for_episodes_api.md) -* [Defense in depth - protecting API's](doc/protecting_apis.md) (🥸) +* [1. The Scenario](doc/0_the_scenario.md) +* [Registering the API in Microsoft Entra ID](doc/1_registering_api_in_azure_ad.md) +* [Exploring the Client Code](doc/2_exploring_the_client_code.md) +* [Exploring the API Code](doc/3_exploring_the_api_code.md) +* [Configure the Client and the API](doc/4_configure_client_and_api.md) +* [Execute the Client and the API](doc/5_execute_client_and_api.md) +* [Swapping from Node to Python on the Episodes API](doc/6_swapping_tech_for_episodes_api.md) +* [Defense in depth - protecting API's](doc/7_protecting_apis.md) (🥸) diff --git a/ex-11/doc/the_scenario.md b/ex-11/doc/0_the_scenario.md similarity index 100% rename from ex-11/doc/the_scenario.md rename to ex-11/doc/0_the_scenario.md diff --git a/ex-11/doc/the_obo_flow.md b/ex-11/doc/1_the_obo_flow.md similarity index 100% rename from ex-11/doc/the_obo_flow.md rename to ex-11/doc/1_the_obo_flow.md diff --git a/ex-11/doc/quotes_code_config.md b/ex-11/doc/2_quotes_code_config.md similarity index 100% rename from ex-11/doc/quotes_code_config.md rename to ex-11/doc/2_quotes_code_config.md diff --git a/ex-11/doc/episodes_code_config.md b/ex-11/doc/3_episodes_code_config.md similarity index 100% rename from ex-11/doc/episodes_code_config.md rename to ex-11/doc/3_episodes_code_config.md diff --git a/ex-11/doc/client_code_config.md b/ex-11/doc/4_client_code_config.md similarity index 100% rename from ex-11/doc/client_code_config.md rename to ex-11/doc/4_client_code_config.md diff --git a/ex-11/doc/swapping_tech_for_episodes_api.md b/ex-11/doc/5_swapping_tech_for_episodes_api.md similarity index 100% rename from ex-11/doc/swapping_tech_for_episodes_api.md rename to ex-11/doc/5_swapping_tech_for_episodes_api.md diff --git a/ex-11/doc/swapping_tech_for_quotes_api.md b/ex-11/doc/6_swapping_tech_for_quotes_api.md similarity index 100% rename from ex-11/doc/swapping_tech_for_quotes_api.md rename to ex-11/doc/6_swapping_tech_for_quotes_api.md diff --git a/ex-11/doc/security_considerations.md b/ex-11/doc/7_security_considerations.md similarity index 97% rename from ex-11/doc/security_considerations.md rename to ex-11/doc/7_security_considerations.md index bff0506..b51aeb9 100644 --- a/ex-11/doc/security_considerations.md +++ b/ex-11/doc/7_security_considerations.md @@ -7,7 +7,7 @@ * Use frameworks as much as possible to handle the flows? * Testability and frameworks are a potential issue. * Using a lot of different technologies in projects sets high demand to team skills and capabilities. -* Establish good practice around debugging/tracing to understand network flow (OWASP Zap) +* Establish good practice around debugging/tracing to understand network flow (Zap) * For NodeJS i recommend the Global Agent module to enable debugging using a network proxy * Scan for open source components for known vulnerabilities diff --git a/ex-11/readme.md b/ex-11/readme.md index e8031ef..495c7c2 100644 --- a/ex-11/readme.md +++ b/ex-11/readme.md @@ -4,11 +4,11 @@ In this exercise we will investigate how to protect web api's using the OBO flow ## Outline -* [The Scenario](doc/the_scenario.md) -* [The On-Behalf-Of flow](doc/the_obo_flow.md) -* [Quotes Api - Code, Config and start](doc/quotes_code_config.md) -* [Episodes Api - Code, Config and start](doc/episodes_code_config.md) -* [Client - Code, Config and start](doc/client_code_config.md) -* [Swapping from Node to Python on the Episodes API](doc/swapping_tech_for_episodes_api.md) -* [Swapping from Node to .net on the Quotes API](doc/swapping_tech_for_quotes_api.md) -* [Security Considerations](doc/security_considerations.md) +* [The Scenario](doc/0_the_scenario.md) +* [The On-Behalf-Of flow](doc/1_the_obo_flow.md) +* [Quotes Api - Code, Config and start](doc/2_quotes_code_config.md) +* [Episodes Api - Code, Config and start](doc/3_episodes_code_config.md) +* [Client - Code, Config and start](doc/4_client_code_config.md) +* [Swapping from Node to Python on the Episodes API](doc/5_swapping_tech_for_episodes_api.md) +* [Swapping from Node to .net on the Quotes API](doc/6_swapping_tech_for_quotes_api.md) +* [Security Considerations](doc/7_security_considerations.md)