A Hands-On Introduction to modern web based A&A

• A Hands-On Introduction to modern web based A&A
  • Workshop objectives
  • Workshop outline
  • Pre-requisites
    • Roles
    • Skills
    • Software
    • Consideration when using Windows
      • Shell
      • Known isues
  • Verifying working environment

Workshop is slides is published at https://larskaare.github.io/WebAuthAuthorAndOtherCreatures/. Slides are developed using reveal.js

Workshop objectives

De-mystify, build confidence and prepare for further exploration of Authentication and Authorization.

• Give an introduction to basics modern web A&A
• Explore Spec and Azure Implementation
• Hands-on coding with a few A&A scenarios
• Insight into threats and current best practices (BCP) for security

Workshop outline

• What problem are we trying to solve?
• Practicalities
• The basics of A&A
• Exercises (8+1)
  • Raw flows, add authentication to web app, using frameworks & libraries, accessing 3rd party api, refresh tokens, single page web app (SPA), protecting web api's
• Deploy application to the Cloud (using Radix)

Pre-requisites

These are the pre-requisites that will make the workshop a whole lot more usefull.

Roles

• Valid Equinor Software Developer On-Boarding
• Valid role "Application Developer (Azure Active Directory)
• Optional for deploy to cloud exercise: Access to Radix Playground - role "Radix Playground Users"

Skills

Helpful knowledge and skills:

• HTTP
• JavaScript/Node.js
• Linux command line
• (Docker)

Software

Installed and verified to work software.

• Node.js
  • Use Node LTS version v12.16.3
  • Using node version manager nvm is recommended on Linux/Mac. For Windows users nvm-windows could be an option.
  • Python may be needed for some node modules to install
• Development IDE (like Visual Studio Code)
• Git, account on github.com
• Postman
• Optional for deploy to cloud
  • Local Docker installation

Consideration when using Windows

Shell

Most things should work ok with the cmd or powershell - with a few limitations. I've tested with using git-bash which is part of Git for Windows

Known isues

• Be aware of how to export environment variables, set for Windows, export for Bash/Linux
• Define proxy variables if needed:

  HTTP_PROXY=http://url:port
  HTTPS_PROXY=http://url:port

• npm is a bit quicky when it comes to running scripts. Doing npm start may fail, but copying the command from package.json and running from the terminal works for most scenarios. Configuring NPM to use a different shell could be an option npm config set shell-script could be an option to explore.
• Using Docker Desktop for Windows should work fine. Remeber to define proxy settings if your beind one of these. Update the ~/.docker/config.json with something like this (update urland port to reflect your context):

{"proxies":
  {
    "default":
      {
        "httpProxy": "http://url:port",
        "httpsProxy": "http://url:port",
        "noProxy": ""
      }
  }
}

Verifying working environment

$ git --version
git version 2.24.3

Should produce proof of an up to date version of git Git

$ node --version
v12.16.3

Should produce proof of an up to date LTS version of NodeJS

$ npm --version
6.14.4

Npm is installed with NodeJS

$ python --version
Python 2.7.16

Should produce proof of a relevant 2.7 version of Python2

$ docker --version
Docker version 19.03.8

Should produce evidence of an update to date version of docker Docker

Please verify that the tools work properly within your network environment. Typical problems would be related to PROXY settings.