Coding Stephan

Cloud Identity Summit 2025

I heard about the Cloud Identity Summit, so I submitted a talk about testing API authentication. To my surprise I was accepted to speak at this conference. On a for me well known topic, but I was able to share my hacking skills with the audience.

Welcome to Cloud Identity Summit 2025

Hack your protected API for integration testing

Thursday 11:00 to 11:50 in the Identity Security track. An hour long session about testing API authentication and why it is important to do so. Here is the abstract:

You built this API for your new product and it is protected with tokens from Entra ID (or any other IDP). To truly test your API, you don’t want to disable the authentication part.

How do you actually run your (mandatory) integration tests without disabling authentication? Using a man-in-the-middle attack on your api, you can create tokens that, for the application, appear to be from Entra ID and actually get validated.

Do you want to run your integration tests on your api, without compromising the integrity of your API? Want to test if the role-based-access-control is working as expected?

Broken access control and Identification and Authentication failures are both in the OWASP top 10, let’s make sure you don’t make these mistakes.

And while we are at it, I’ll show you how you can protect your API against these forged tokens.

Timing is important

At these conferences there always is a tight schedule, you don’t want to run out of time or finish 20 minutes early. My talk had a lot of demos, during which people could ask questions. We made this talk fit exactly in the 50 minutes even though there were a lot of questions and discussions during the talk.

Timing is important at Cloud Identity Summit 2025

Meeting people

As always, I had the pleasure to meet a lot of awesome people, many of them I’ve seen around at other conferences. The day before the event we had a tour in the German football museum which was a lot of fun and very interesting, apart from the guide bashing on The Netherlands for not winning as often. After the tour we had a nice dinner with all the speakers.

Speaker dinner at Cloud Identity Summit 2025

Red dot design museum

On my drive to Dortmund, I planned a detour to the Red Dot Design Museum in Essen, which is one of the biggest design museums in the world. I had a great time there, seeing all the different designs and learning about the history of design.

Cool lights

All models iPhone ever produced

Conclusion

We all should do better on security, it is not just for the security team anymore. Developers should also care about security, and testing your API authentication is a great way to start.