This is a hands-on AppSec fundamentals workshop where we explore protecting API's and Web apps. We look at authentication (authn), authorization (authz) and friends. This version of the workshop is the Codespaces edition. Using you browser we run all exercises in a all inclusive virtual environment.

In the workshop participant will get to know key technologies such as OAuth2, OpenID Connect (OIDC) and Microsoft Entra ID. Our journey will take us from the rfc specifications, to manual request, to coding, to using frameworks, to debugging and to testing. After the workshop participants should have a pretty good understanding of the mechanics behind the scenes as well as relevant security/privacy concerns.

• The workshop level is intermediate/advanced.
• The workshop is usually executed as a virtual session (using MS Teams or similar)
• The workshop will be organized as 2 full days sessions
• It recommended that more than one person participate from a team.
• During the workshop we expect to spark a high number of relevant discussions. These discussion should naturally continue in the teams after the workshop.

• Intro, objectives
• What problem are we trying to solve?
• The basics of Authentication and Authorization (part 1)
• OAuth2 Code Grant Raw Style
• Getting access tokens using code
• The basics of Authentication and Authorization (part 2)
• Exploring Scope
• Exploring Frameworks for Authentication and Authorization
• Exploring Sessions and session management
• Exploring Common authorization scenarios in Equinor
• Exploring Refresh tokens
• Exploring The Implicit grant for Native, Mobile, SPA
• Exploring PKCE for Native, Mobile, SPA
• Exploring Web API's protection
• Exploring Web API chaining scenarios (OBO)

1. Authorization Code Grant Raw Style
2. Getting an access token using code
3. Scope
4. Using Auth Frameworks
5. Sessions
6. Common Authorization Scenarios
7. Refresh tokens
8. Implicit grant
9. Auth Code Grant with PKCE
10. Protecting Web Api's
11. Protecting Web Api's O-B-O

Most of the topics and exercises have documentation as part of the exercise. We use a slide deck for some parts. The docs/readme shows you how to load the docs in your local environment. Slides are also served using Github Pages at https://equinor.github.io/appsec-fundamentals-authn-authz-cs

• Frequently Asked Questions

To enable a good flow and outcome of the workshop it is vital to come prepared. Preparations and pre-requisites are defined in Support/workshop_preparations

Some of the material in the workshop may not make sense for all environments and may be a bit specific for Equinor. We have marked this with a ⚡️ which indicate that it most likely will have to be adapted to your context.