Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced API Security with Spring Security OAuth

baeldung
March 04, 2016
Technology
1
600

Advanced API Security with Spring Security OAuth

The structure of this presentation focuses on the following:
- An intro to Security Tokens
- Understand OAuth2
- An OAuth implementation for a REST API with Spring Security
- How to consume the secured API from a JS client
- Understanding security threats in OAuth

baeldung

March 04, 2016
Tweet

More Decks by baeldung

See All by baeldung
Building HATEOAS into your API
baeldung
2
270
The Basics of REST With Spring
baeldung
1
470
CQRS and Event Sourcing with Spring
baeldung
1
3.9k

Other Decks in Technology

See All in Technology
データ活用促進のためのデータ分析基盤の進化
takumakouno
2
680
ジョブマッチングサービスにおける相互推薦システムの応用事例と課題
hakubishin3
3
640
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
300k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
120
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
1
440
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
200
TinyGoを使ったVSCode拡張機能実装
askua
2
210
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
190
mikroBus HAT を用いた簡易ベアメタル開発
tarotene
0
310
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
4
390

Featured

See All Featured
A designer walks into a library…
pauljervisheath
202
24k
Bash Introduction
62gerente
608
210k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Writing Fast Ruby
sferik
627
61k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Building Applications with DynamoDB
mza
90
6.1k
Typedesign – Prime Four
hannesfritz
40
2.4k
Practical Orchestrator
shlominoach
186
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
505
140k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
Embracing the Ebb and Flow
colly
84
4.5k

Transcript

  1. ADVANCED API SECURITY Advanced API Security Workshop Eugen Paraschiv @baeldung

    [email protected]

  2. . . . . . . . . . .

    . . . Advanced API Security - Workshop HI • My name is Eugen Paraschiv • I’ve been running Baeldung for almost 5 years • And I’ve written quite a few Oauth implementations

  3. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Get you comfortable with OAuth at a high level and get you started implementing it cleanly with Spring Security WORKSHOP GOAL

  4. Advanced API Security - Workshop • An intro to Security

    Tokens AGENDA

  5. Advanced API Security - Workshop • An intro to Security

    Tokens • Understand OAuth2 AGENDA

  6. Advanced API Security - Workshop • An intro to Security

    Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security AGENDA

  7. Advanced API Security - Workshop • An intro to Security

    Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security • How to consume the secured API from a JS client AGENDA

  8. Advanced API Security - Workshop • An intro to Security

    Tokens • Understand OAuth2 • An OAuth implementation for a REST API with Spring Security • How to consume the secured API from a JS client • Understanding security threats AGENDA

  9. . . . . . . . . . .

    . . . . OPEN QUESTION TIME Have you ever used OAuth to secure a system before?

  10. . . . . . . . . . .

    . . . . I. Security Tokens

  11. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens Security Tokens

  12. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens • The structure of a Security Token Security Tokens

  13. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The history of Security Tokens • The structure of a Security Token • JSON Web Tokens (JWT) Security Tokens

  14. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options The History of Security Tokens

  15. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options • Simple Web Token – Form / URL encoded – Symmetric signatures only The History of Security Tokens

  16. . . . . . . . . . .

    . . . Advanced API Security - Workshop • SAML – XML Based – Lots of encryption and signature options • Simple Web Token – Form / URL encoded – Symmetric signatures only • JSON Web Tokens (JWT) – JSON Encoded – Symmetric and asymmetric signatures – Symmetric and asymmetric encryption The History of Security Tokens

  17. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Security Token contains information about: – The Issuer – The Recipient – The Subject – An Expiration Time (usually) The Structure of a Security Token

  18. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Security Token contains information about: – The Issuer – The Recipient – The Subject – An Expiration Time (usually) • Tokens are typically signed (symmetrically or asymmetrically) The Structure of a Security Token

  19. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The simple, high-level structure of a JWT Token is: – [header].[payload].[signature] JWT

  20. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The simple, high-level structure of a JWT Token is: – [header].[payload].[signature] • It’s self-contained JWT

  21. . . . . . . . . . .

    . . . Advanced API Security - Workshop • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3O DkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95 OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ JWT EXAMPLE

  22. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Header example: JWT HEADER EXAMPLE { "alg": "HS256“, "typ": "JWT" }

  23. . . . . . . . . . .

    . . . Advanced API Security - Workshop • A Payload example: JWT PAYLOAD EXAMPLE { "iss": "scotch.io", "exp": 1300819380, "name": "Chris Sevilleja", "admin": true }

  24. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Signature contains: – The Header (Base64 URL encoded) – The Payload (Base64 URL encoded) – A Secret JWT SIGNATURE

  25. Advanced API Security - Workshop

  26. . . . . . . . . . .

    . . . . PLAY TIME Let’s hit a real Authorization Server

  27. . . . . . . . . . .

    . . . . STOP Q&A Time

  28. . . . . . . . . . .

    . . . . II. What is OAuth2?

  29. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol OAuth2

  30. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol • A client can get limited access without asking for the master key OAuth2

  31. . . . . . . . . . .

    . . . Advanced API Security - Workshop • OAuth2 is an Authorization protocol • A client can get limited access without asking for the master key • A strong reason for OAuth2 - mobile OAuth2

  32. Advanced API Security - Workshop THE OAUTH ACTORS Resource Owner

  33. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner uses

  34. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Resource Server uses

  35. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Resource Server uses owns a Resource

  36. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts

  37. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

  38. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

  39. Advanced API Security - Workshop THE OAUTH ACTORS Client Resource

    Owner Authorization Server Resource Server uses owns a Resource trusts registers with … issues access token

  40. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow OAUTH2 FLOWS

  41. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow OAUTH2 FLOWS

  42. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow • Resource Owner Password Credentials Flow OAUTH2 FLOWS

  43. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authorization Code Flow • Implicit Flow • Resource Owner Password Credentials Flow • Client Credentials Flow OAUTH2 FLOWS

  44. . . . . . . . . . .

    . . . . STOP Q&A Time

  45. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 1 A minimal OAuth2 setup

  46. . . . . . . . . . .

    . . . Advanced API Security - Workshop SPRING SECURITY OAUTH <dependency> <groupId>org.springframework.security.oauth</groupId> <artifactId>spring-security-oauth2</artifactId> <version>2.0.8.RELEASE</version> </dependency>

  47. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

  48. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

  49. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE AUTHORIZATION SERVER @SpringBootApplication @EnableAuthorizationServer public class AuthServer extends WebMvcConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(AuthserverApplication.class, args); } }

  50. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER - application.properties ... security.oauth2.client.clientId: sampleClientId security.oauth2.client.clientSecret: set_your_secret security.oauth2.client.authorized-grant-types: password security.oauth2.client.scope: read

  51. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – JAVA CONFIG @Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception { clients. … .withClient(" sampleClientId ") .secret("set_your_secret") .authorizedGrantTypes("password") .scopes("read"); }

  52. . . . . . . . . . .

    . . . Advanced API Security - Workshop RUN THE AUTH SERVER (BOOT) … server.port=8081 security.user.password=password server.contextPath=/auth …

  53. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE RESOURCE SERVER @SpringBootApplication @EnableResourceServer public class ResourceApplication extends ResourceServerConfigurerAdapter { public static void main(String[] args) { SpringApplication.run(ResourceApplication.class, args); } }

  54. . . . . . . . . . .

    . . . . Play Time Let’s now get an Access Token and consume the REST API with it

  55. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 2 Let’s now switch from standard tokens to JWT

  56. Advanced API Security - Workshop AUTH SERVER - JWT <dependency>

    <groupId>org.springframework.security</groupId> <artifactId>spring-security-jwt</artifactId> </dependency>

  57. Advanced API Security - Workshop AUTH SERVER - JWT @Bean

    public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(signingKey); return converter; } @Bean public TokenStore tokenStore() { return new JwtTokenStore(accessTokenConverter()); }

  58. Advanced API Security - Workshop AUTH SERVER - JWT @Bean

    @Primary public DefaultTokenServices tokenServices() { DefaultTokenServices tokenServices = new DefaultTokenServices(); tokenServices.setTokenStore(tokenStore()); return tokenServices; }

  59. Advanced API Security - Workshop AUTH SERVER - JWT @Override

    public void configure(AuthorizationServerEndpointsConfigurer conf) { conf. tokenStore(tokenStore()). allowedTokenEndpointRequestMethods(GET, POST). accessTokenConverter(accessTokenConverter()); }

  60. Advanced API Security - Workshop RESOURCE SERVER - JWT @Bean

    public JwtAccessTokenConverter accessTokenConverter() { JwtAccessTokenConverter converter = new JwtAccessTokenConverter(); converter.setSigningKey(signingKey); return converter; } @Bean public TokenStore tokenStore() { … } @Bean @Primary public DefaultTokenServices tokenServices() { … }

  61. Advanced API Security - Workshop RESOURCE SERVER - JWT @Override

    public void configure(ResourceServerSecurityConfigurer config) { config.tokenServices(tokenServices()); }

  62. . . . . . . . . . .

    . . . . Play Time Let’s now get an Access Token and consume the REST API with it

  63. . . . . . . . . . .

    . . . . IMPLEMENTATION - SCENARIO 3 Introducing Refresh Tokens

  64. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – REFRESH TOKEN @Override public void configure (ClientDetailsServiceConfigurer clients) throws Exception { clients. … .authorizedGrantTypes("password", "refresh_token") .refreshTokenValiditySeconds(2592000) // 30 days }

  65. . . . . . . . . . .

    . . . Advanced API Security - Workshop AUTH SERVER – REFRESH TOKEN @Bean public DefaultTokenServices tokenServices() { … tokenServices.setSupportRefreshToken(true); return tokenServices; }

  66. . . . . . . . . . .

    . . . . Play Time Let’s see the new Refresh Token in action

  67. . . . . . . . . . .

    . . . . STOP Q&A Time

  68. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK option for authorization GRANULAR AUTHORIZATION WITH OAUTH

  69. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK option for authorization • Scopes are also a good option to drive granular authorization GRANULAR AUTHORIZATION WITH OAUTH

  70. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Using User Authorities is an OK authorization option • Scopes are also a good option to drive granular authorization • In the Password Flow, scopes can be complex to implement GRANULAR AUTHORIZATION WITH OAUTH

  71. . . . . . . . . . .

    . . . . STOP Q&A Time

  72. . . . . . . . . . .

    . . . . The Client Side IV. Token Storage in the Browser

  73. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes STORING THE ACCESS TOKEN

  74. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes – the cookie does not drive authentication STORING THE ACCESS TOKEN

  75. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Access Token – stored by the JS using a Cookie – short lived – 2 minutes – the cookie does not drive authentication – it’s only used for storage STORING THE ACCESS TOKEN

  76. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN var req = { method: 'POST', url: "oauth/token", headers: {"Content-type": "application/x-www-form-urlencoded"}, data: $httpParamSerializer(params) }

  77. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http(req).then(function(data){ // success }, function(){ console.log("error"); window.location.href = "login"; } );

  78. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token;

  79. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in));

  80. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in)); $cookies.put("access_token", data.data.access_token, {'expires': expireDate});

  81. . . . . . . . . . .

    . . . Advanced API Security - Workshop THE CLIENT – ACCESS TOKEN $http.defaults.headers.common.Authorization = 'Bearer ' + data.data.access_token; // save the Access Token var expireDate = new Date( new Date().getTime() + (1000 * data.data.expires_in)); $cookies.put("access_token", data.data.access_token, {'expires': expireDate}); window.location.href = "index";

  82. . . . . . . . . . .

    . . . . The Refresh Token

  83. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) THE REFRESH TOKEN – IN A COOKIE

  84. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) THE REFRESH TOKEN – IN A COOKIE

  85. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) • The Cookie has a very specific path (/oauth/path) THE REFRESH TOKEN – IN A COOKIE

  86. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Cookie is secure (HTTPS only - no network sniffing attacks) • The Cookie is HTTP only (no JS - no XSS attacks) • The Cookie has a very specific path (/oauth/path) • /oauth/path has CSRF protection THE REFRESH TOKEN – IN A COOKIE

  87. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON HOW DO WE WORK WITH THE COOKIE?

  88. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON • We will intercept that Request <-> Response and make changes HOW DO WE WORK WITH THE COOKIE?

  89. . . . . . . . . . .

    . . . Advanced API Security - Workshop • By default, the Refresh Token is returned with the Access Token JSON • We will intercept that Request <-> Response and make changes • We’ll use the Zuul Proxy to make the changes on the Request / Response HOW DO WE WORK WITH THE COOKIE?

  90. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we obtain an Access Token, we also receive the Refresh Token OBTAINING THE TOKENS - THE RESPONSE

  91. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we obtain an Access Token, we also receive the Refresh Token • The Proxy will get the value from the JSON Body and set it to the Cookie OBTAINING THE TOKENS - THE RESPONSE

  92. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser REFRESHING THE ACCESS TOKEN

  93. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser • The Proxy will get the Refresh Token value from the Cookie REFRESHING THE ACCESS TOKEN

  94. . . . . . . . . . .

    . . . Advanced API Security - Workshop • When we refresh the Access Token, the Cookie will be sent by the Browser • The Proxy will get the Refresh Token value from the Cookie • And it will add it as a parameter on the Request REFRESHING THE ACCESS TOKEN

  95. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The JS Client can now trigger a refresh of the token behind the scenes • The JS Client can also intercept a 401 Response and refresh the token THE CLIENT – DOING REFRESH

  96. . . . . . . . . . .

    . . . . STOP Q&A Time

  97. . . . . . . . . . .

    . . . . THE OAUTH2 THREAT MODEL V. Let’s explore some security attacks

  98. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication CSRF Vulnerability?

  99. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) CSRF Vulnerability?

  100. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) • The Refresh Token is using a Cookie on /oauth/token CSRF Vulnerability?

  101. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We are not using Cookies to drive authentication • We are not using Cookies to drive authentication (mostly) • The Refresh Token is using a Cookie on /oauth/token • So we need CSRF protection on /oauth/token only CSRF Vulnerability?

  102. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Browser sends security information implicitly HOW CSRF WORKS

  103. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API HOW CSRF WORKS

  104. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API • And because the browser is indeed authenticated with our API HOW CSRF WORKS

  105. . . . . . . . . . .

    . . . Advanced API Security - Workshop • The Browser sends security information implicitly • So any site can send a request to our API • And because the browser is indeed authenticated with our API • That request will be valid and will go through HOW CSRF WORKS

  106. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We check the Referrer header of the Request SOLUTIONS

  107. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) SOLUTIONS

  108. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request SOLUTIONS

  109. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request (Better) SOLUTIONS

  110. . . . . . . . . . .

    . . . Advanced API Security - Workshop • We check the Referrer header of the Request (Week) • We check the Origin header of the Request (Better) • We use the Synchronizer Token Pattern to stop CSRF attacks SOLUTIONS

  111. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Use HTTPS only REPLAY ATTACKS

  112. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Use HTTPS only • Sign requests and use nonces and timestamps to uniquely identify requests REPLAY ATTACKS

  113. . . . . . . . . . .

    . . . Advanced API Security - Workshop • This attack is orchestrated with a counterfeit Resource Server ACCESS TOKEN PHISHING

  114. . . . . . . . . . .

    . . . Advanced API Security - Workshop • This attack is orchestrated with a counterfeit Resource Server • The endpoint URL of the Resource Server should be hard set in the Client ACCESS TOKEN PHISHING

  115. . . . . . . . . . .

    . . . . STOP Q&A Time

  116. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) OTHER POINTS TO HIT ON

  117. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens OTHER POINTS TO HIT ON

  118. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser OTHER POINTS TO HIT ON

  119. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser • Protecting the Login against CSRF Attacks OTHER POINTS TO HIT ON

  120. . . . . . . . . . .

    . . . Advanced API Security - Workshop • Authentication in OAuth2 (OpenID Connect) • How do we revoke Tokens • Encrypting tokens in the browser • Protecting the Login against CSRF Attacks • How exactly do we do granular authorization? OTHER POINTS TO HIT ON

  121. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS

  122. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS • Implement our Event Store and persist raw JSON events

  123. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Separate Reads from Writes in a Spring API using CQRS • Implement our Event Store and persist raw JSON events • Go from Commands to Events with a Spring 4.2+ impl

  124. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views

  125. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections

  126. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections • Discuss transactional semantics across Projections

  127. ADVANCED API SECURITY “CQRS and Event Sourcing With Spring Boot”

    2 Hour Workshop (129$) • Project Events into useful, eventually-consistent views • Leverage Polyglot Persistence for our Projections • Discuss transactional semantics across Projections • Deal with Eventual Consistency from the client side

  128. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

    Workshop (99$) • Use Spring HATEOAS for dynamic link building

  129. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

    Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links

  130. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

    Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links • Implement fetch plans / field plans

  131. ADVANCED API SECURITY “Advanced API Discoverability and HATEOAS” 2 Hour

    Workshop (99$) • Use Spring HATEOAS for dynamic link building • Return relations as full embedded Resources vs. Links • Implement fetch plans / field plans • Build a custom Media Type and why that's useful

  132. ADVANCED API SECURITY Workshop Bonus (next 48 hours) “All In

    One” Workshops: 124$ (50% Off) - “Advanced API Discoverability and HATEOAS” - “CQRS and Event Sourcing With Spring Boot”

  133. . . . . . . . . . .

    . . . . THANK YOU It’s Q&A Time