Synopsys Software Integrity Group is now operating as Black Duck Software, Inc., a subsidiary of Synopsys. Click to learn more.

close search bar

Sorry, not available in this language yet

close language selection

Securely Granting Access to an API Using OAuth 2.0

Course Description

Modern web applications are often backed by an API. These APIs depend on OAuth 2.0 to implement access control. Since OAuth 2.0 is a delegation framework, implementing access control is not as simple as it seems. In this course, we look at the architecture of a back-end application using OAuth 2.0, and investigate the security properties of various kinds of access tokens. We also look at the importance of token introspection, and how to use that data to make access control decisions.

Learning Objectives

  • Understand the difference between the types of access tokens
  • Understand the role of a token introspection endpoint 
  • Define a custom set of scopes for fine-grained access control
  • Secure access to an API using OAuth 2.0
  • Avoid common pitfalls when designing OAuth 2.0-based security architectures

Details

Delivery: eLearning

Duration: 1 hour 30 minutes

Level: Intermediate

Intended Audience

  • Architects
  • Back-End Developers
  • Enterprise Developers

Prerequisites

Course Outline

Introduction

  • Examples of Protected Resources
  • The Complexity of OAuth 2.0

Authentication, Authorization, and OAuth 2.0

  • API Security Based on OAuth 2.0
  • The Relationship Between Authentication, Authorization, and OAuth 2.0
  • Current Best Practice OAuth 2.0 Flows

Different Access Token Types

  • Different Types of Access Tokens
  • Reference Tokens
  • Self-Contained Tokens
  • Considerations for Choosing a Token Type

Handling Incoming Access Tokens

  • Getting the Access Token from the Request
  • Introspecting Reference Tokens
  • Verifying Self-Contained Tokens
  • Security Considerations

Restricting Access Using Well-Defined Scopes

  • The Purpose of Scopes
  • Using Scopes for Authorization
  • Practical Use of Scopes

Implementing Access Control Using OAuth 2.0

  • Requiring Authorization on API Endpoints
  • Getting the Access Token
  • Differentiating Between Token Types
  • Handling Self-Contained Tokens
  • Handling Reference Tokens
  • Putting It All Together
  • Checking Access Token Scopes
  • Making Object-Level Authorization Decisions

Token Handling Pitfalls and Best Practices

  • The Purpose of Tokens
  • Custom Token Claims
  • Roles and Permissions in Tokens

More Advanced Topics

Training

Developer Security Training

Equip development teams with the skills and education to write secure code and fix issues faster