Don't Lose Sleep, Secure Your REST

Learn how to secure your REST API using proven standards implemented by OAuth 2.0 and OpenID Connect in this PHP UK Conference talk. Explore JSON Object Signing and Encryption (JOSE) as the core of a secure standards-based REST API. Discover the components of JOSE, including JSON Web Token (JWT), JSON Web Signature (JWS), and JSON Web Encryption (JWE). Understand key concepts such as cryptography, hierarchical authentication, key rotation, request authorization, and response validation. Gain insights into implementing private claims, timestamp and duration checks, and encrypted data with JWE. Follow along with practical examples of JWT headers, request representations, and response claims to enhance your API security knowledge.

Intro
Auth and Crypto Was Messy
Why Was It A Big Deal?
Cryptography
The Bad — Usability
What Was Missing
What Changed?
The Good — Decoupling
The Good — OSS Libraries
The Good — Hierarchical Auth
What is JOSE?
JSON Web Token (JWT)
JSON Web Signature (JWS)
JSON Web Encryption (JWE)
JSON Web Algorithm
JSON Web Key
Request Example Representation
JWT Header Example
Key Rotation
Request Authorization
Private Request Claims
Hierarchical Credentials
Timestamp and Duration
Request Validation
Private Response Claims
Response Example Representation
JWT Response Claims Example
Response Validation
Encrypted Data with JWE
JWE Header Example
Conclusion
If You Want To Follow Up