- A Hands-On Introduction to modern web based A&A
Workshop is slides is published at https://larskaare.github.io/WebAuthAuthorAndOtherCreatures/. Slides are developed using reveal.js
De-mystify, build confidence and prepare for further exploration of Authentication and Authorization.
Highlights
- Give an introduction to the basics of modern web A&A
- Explore RFC (specs) and Azure Implementation
- Code a few A&A scenarios
- Insights into threats and security best current practices (BCP)
- What problem are we trying to solve?
- Practicalities
- The basics of A&A
- Exercises (10+1)
- Raw flows, add authentication to web app, using frameworks & libraries, accessing 3rd party api, refresh tokens, single page web app (SPA), PKCE, protecting web api's, chaining requests (on-behalf-of)
- Deploy application to the Cloud (using Radix)
These are the pre-requisites that will make the workshop a whole lot more useful. Verify your development environment (by using the section below) prior to joining the workshop
- Valid Equinor Software Developer On-Boarding
- Valid role "Application Developer (Azure Active Directory)
- Optional: for deploy to cloud exercise: Access to Radix Playground - role "Radix Playground Users"
Helpful knowledge and skills:
- HTTP
- JavaScript/Node.js
- Linux command line
- Optional: Docker
Installed and verified to work software.
- Node.js
- Use Node LTS version v12.16.3
- Using node version manager nvm is recommended on Linux/Mac. For Windows users nvm-windows could be an option.
- Python may be needed for some node modules to install
- Development IDE (like Visual Studio Code)
- Git, account on github.com
- Postman
- Optional for deploy to cloud
- Local Docker installation
Most things should work ok with the cmd or powershell - with a few limitations. I've tested with using git-bash which is part of Git for Windows
- Be aware of how to export environment variables,
setfor Windows,exportfor Bash/Linux - Define proxy variables if needed:
HTTP_PROXY=http://url:port
HTTPS_PROXY=http://url:portnpmis a bit quicky when it comes to running scripts. Doingnpm startmay fail, but copying the command frompackage.jsonand running from the terminal works for most scenarios. Configuring NPM to use a different shell could be an optionnpm config set shell-scriptcould be an option to explore.- Using Docker Desktop for Windows should work fine. Remeber to define proxy settings if your beind one of these. Update the
~/.docker/config.jsonwith something like this (updateurlandportto reflect your context):
{"proxies":
{
"default":
{
"httpProxy": "http://url:port",
"httpsProxy": "http://url:port",
"noProxy": ""
}
}
}Please verify that the tools work properly within your network environment. Typical problems would be related to PROXY settings.
$ git --version
git version 2.24.3Should produce proof of an up to date version of git Git
$ node --version
v12.16.3Should produce proof of an up to date LTS version of NodeJS
$ npm --version
6.14.4Npm is installed with NodeJS
$ python --version
Python 2.7.16Should produce proof of a relevant 2.7 version of Python2
$ docker --version
Docker version 19.03.8Should produce evidence of an update to date version of docker Docker
To verify your working environment I recommend testing the hello app. Use the following procdure
- Clone this repository
- Open a terminal and "cd" into the "ex-0" folder
- Executing "npm install" should install dependencies with no fatal errors.
- Executing "npm start" should provide the name of a Taco recipie with no fatal errors
- Optional: Executing "docker build -t hello ." should build a docker image with no fatal errors
- Optional: Executing "docker run hello" should provide the name of a Taco recipie with no fatal errors
The ./docker-compose.yaml contains everything we need to run a development environment.
You will want to use 2-3 terminal sessions ("tabs") for this as it is easier to see what is going on where.
Step 1: Create the workshop config file for docker-compose
Copy the template file workshop-credentials.env-template and rename the copy to workshop-credentials.env, then provide the missing values. (Verify that new .env this file is kept out of version control)
Step 2: Start the development container
docker-compose up --buildNotes for windows users:
- If you are using WSL1:
Start docker-compose in windows
cmdas this will use the native windows docker client that will handle path translation for you. - If you are using WSL2
You are in a happy place, stay there.
# Open a bash session into the development container
docker exec -it workshop_development_container bash
# From inside the container you can then run any npm command.
# Example - Exercise 2
# First install all packages for exercise 2
cd ex-2
npm install
# Then start the nodejs application
npm start# Bring up your IDE and start hacking away.
# Please note that template files will not be hot reloaded, see "Notes" down below
code .
# Run git commands etc
git statusStop and remove all started containers and networks
docker-compose downYou can always bomb out using ctrl+c and similar in the session where docker-compose is running, the drawback is that there will be leftovers from the docker-compose process.
By using command docker-compose down you will get a clean exit.
Optionally you can provide even more arguments to specify what should be cleaned up for more advanced use cases.