Access control for REST services

Workshop on authenticating and authorizing users for REST services

workshop, 150min


REST services are very popular. Unfortunately, many are not secure.
In this session, we identify access control requirements for a range of application types and discuss how these can be delivered with current standards and tools. The presentation is interactive; we discuss the trade-offs when implementing typical requirements.
Role-Based Access Control (RBAC) is probably still the dominant access control model. However, this is shifting to Attribute-Based Access Control (ABAC). Authentication (authN) and authorization (authZ) standards in the REST ecosystem such as OAuth and OpenID Connect (OIDC) have been designed to enable ABAC.
OpenID Providers authenticate end users and issue a security token called an ID Token, containing a set of claims about the attributes of the caller. We will be dissecting the OpenID Connect ID Tokens, encoded as JSON Web Tokens (JWT).
Even though OIDC and OAuth are supplanting older authN/Z standards for web services such as SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language), they will have to co-exist for a long time. Many components offering OIDC or OAuth interfaces also work with SAML or XACML, which define interesting roles such as Identity Provider (IdP), Policy Enforcement Point (PEP) and Policy Decision Point (PDP). So it is natural to ask whether these roles are relevant in a REST architecture as well and, if so, how they map on OIDC and OAuth roles.
A laptop with Postman or other REST client would be useful, so that you can request, dissect and submit JWTs yourself.

Audience background

target audience: developers and architects with an understanding of web technologies.

Benefits of participating

understand practical approaches to REST service authN/Z
appreciate the limitations of the current technology
anticipate future developments

Materials provided

demo services


I intend to run the session as a design meeting. We discuss requirements for authN/Z architectures, trade offs to be made and practical solutions.

Detailed timetable

00:00 - 00:15 welcome and intro
00:15 - 00:25 functional demo
00:25 - 00:50 interactive presentation on architectural patterns
00:50 - 01:20 interactive presentation on relevant standards
01:20 - 01:30 interactive presentation on user authentication (IdP)
01:30 - 01:40 user authN demo
01:40 - 01:50 interactive presentation on client registration and authentication
01:50 - 02:00 interactive presentation on coarse and fine-grained authZ (API GW)
20:00 - 02:10 authZ demo
02:10 - 02:30 wrap-up


Demonstrator: https://github.com/JohanPeeters/REST-IAM-demo
Slides: https://docs.google.com/presentation/d/1DmVlveGKba0KNki_U-2cbLmBQQxcYHvvqW4lcmWa7xM/pub?start=false&loop=false&delayms=3000&slide=id.p


The session has been accepted at SecAppDev (March 2017) and the I T.A.K.E. (May 2017).


  1. Johan Peeters
    Johan Peeters bvba