SlideShare une entreprise Scribd logo

Ember Authentication and Authorization with Torii

Cory Forsyth
Cory Forsyth

This document discusses authentication and authorization in Ember applications using the Torii library. It begins with an overview of authentication and authorization concepts. It then introduces Torii as a library that simplifies obtaining OAuth credentials from third-party providers and managing authentication state. The document provides examples of using Torii to handle the OAuth implicit grant flow, authorization code flow, and social login flows. It also discusses Torii's use of providers, adapters, and sessions to manage authentication.

Internet
1  sur  48
Télécharger pour lire hors ligne
Ember Auth* with Torii
Cory Forsyth @bantic
201 Created Consultants in NewYork City
Cory Forsyth @bantic
A tale of two Auths • What is authentication? • Who are you? • What is authorization? • What are you allowed to do?
Auth* • Authentication can imply authorization • Since you successfully logged in, you can use the system • Authorization may require authentication • Until I know who you are (authentication), I don’t know what you’re allowed to do
Auth* • Authentication and Authorization require context to be meaningful • You can authenticate with one site, but be unauthenticated in the context of another site • You can be authorized by a site to perform an action • You can authorize a client to perform an action for you
What is Torii? “A set of clean abstractions for authentication in Ember.js” Original work sponsored by
Torii a traditional Japanese gate that symbolically marks the transition from the profane to the sacred
Torii: • Designed to: • Make it simple to obtain authorization credentials from 3rd-party OAuth providers • Support use-cases beyond simply log-in • Provide simple building blocks for auth*, be flexible
Torii ♥ OAuth • Simplifying the process of obtaining OAuth credentials is Torii’s core goal // Set up: // Create OAuth app at <providerName>. // Modify ember-cli app config. // in app: this.get(‘torii').open(<providerName>) // torii magic happens .then(authData => { // use authData })
Torii ♥ OAuth// Set up: // Create OAuth app at <providerName>. // Modify ember-cli app config. // in app: this.get(‘torii').open(<providerName>) // torii magic happens .then(authData => { // use authData }) Use OAuth credentials to: • Connect user account to 3rd parties • Authenticate*, log in user
Torii Features • Other Torii features: • Session management • Router DSL for authenticated routes • Torii providers not limited to OAuth
Torii primitives • Providers (required) • Adapters (optional) • Session service (optional)
Torii Providers • Interface with OAuth provider or other service capable of providing auth* information • Manage the complexity of redirect-based OAuth flows • Some built-in providers: • Google, Facebook, Github, LinkedIn, Stripe
Torii Providers Methods: `open` Returns: promise Purpose obtain authorization or authentication credentials
Torii Adapters • Adapters • Process the authorization data from providers • E.g. Exchange OAuth credentials to authenticate user • E.g. Hit endpoint to get current user from user token • Persist authentication state • Must be used with the Torii session service
Torii Adapters Methods: `open` `fetch` `close` Returns: promise promise promise Purpose use provider’s auth* data to authenticate user, persist authn state determine if user is logged in sign user out, delete persisted authn state
Torii Session • Session service is injected onto routes and controllers • Is a state machine • Has `isAuthenticated`, `isWorking`, `currentUser` and some other properties
Torii Flows Examples Ember App code torii.open(‘google-oauth2-bearer’). .then(authData => { // authData contains access_token }); Provider uses app config info to open popup with correct URL, resolves promise with authData Adapter Not used Session Not used Your back-end server Not used Get access_token from Google via implicit grant
Torii Flows Examples Ember App code torii.open(‘google-oauth2’). .then(authData => { // authData has authorizationCode // POST code to back-end }).then(access_token => { … }); Provider uses app config info to open popup with correct URL, resolves promise with code Adapter Not used Session Not used Your back-end server Posts code (& client secret, etc) to google. Google responds with access_token. Back-end responds with access_token. Get access_token from Google via authorization code grant
Torii Flows Examples Ember App code session.open(‘google-oauth2’).then(() => { // session.isAuthenticated, // session.currentUser is present }) Provider same as previous google-oauth2 authorization code flow Adapter (user-created) torii google-oauth2 adapter’s `open` method is called with auth code. POSTs code to back-end, receives user data, stores user id in localStorage, resolves with user data Session Look up adapter by name (‘google-oauth2’). Call `provider.open`, pass result to `adapter.open` Store result of adapter.open on session Transition state to `isAuthenticated` Your back-end server Exchange code for access_token from google (same as previous flow) Make authorized request to google for user info. Use user info to log in. Respond with current user data. Social login with Google
OAuth a short intro
OAuth • An Authorization framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
OAuth • 1.0: • Uses cryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • redirection-based flows
OAuth Love Triangle Resource Owner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
OAuth Love Triangle User e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
OAuth Love Triangle user e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4 Torii Provider’s responsibility
Torii Provider 4 • “opens popup to” authorization endpoint • Torii builds URL: • Detects redirect from Ember App • reads params from window.location.hash • closes popup, resolves existing `open` promise user e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url https://accounts.google.com/o/oauth2/auth ?scope=X&state=Y&client_id=Z… http://localhost:4200/#code=xyz http://localhost:4200/#access_token=xyz
Challenges of OAuth • OAuth 2.0 is vague — parameter names and responses vary between providers • Torii mitigates this by allowing providers to describe what parameters they use • Torii providers generate the correct URL for the popup • Maintaining state through url redirection is hard for SPAs • Torii uses a popup service and redirect handler so that your app code only sees a single promise resolving with the auth data
OAuth • From Torii Provider perspective, “implicit” and “authorization code” grant flows are same • Difference is: resulting value (code or access_token) • access_token: Used for API requests • code: Must be exchanged by back-end for `access_token`, not useful on its own • code may be exchanged for `refresh_token`
Torii Walk-Through: Implicit/Bearer Flow
Torii Flows Examples Ember App code torii.open(‘google-oauth2-bearer’). .then(authData => { // authData contains access_token }); Provider uses app config info to open popup with correct URL, resolves promise with authData Adapter Not used Session Not used Your back-end server Not used Get access_token from Google via implicit grant
Google+ access_token • Code: http://bit.ly/torii-demo-1 1. Create app w/ Google 2. Set up configuration for ‘google-oauth2-bearer’ provider 3. `torii.open(‘google-oauth2-bearer’).then( token.. )` • Possible next steps: • pass token to your back-end to use • use token to retrieve user or other info from API
Create app with Google http://bit.ly/torii-demo-1
Create OAuth2 Creds http://bit.ly/torii-demo-1
Create OAuth2 Creds Pt 2 http://bit.ly/torii-demo-1
Create OAuth2 Creds Pt 3 http://bit.ly/torii-demo-1
Torii Walk-Through: Authorization Code Flow
Torii Flows Examples Ember App code torii.open(‘google-oauth2’). .then(authData => { // authData has authorizationCode // POST code to back-end }).then(access_token => { … }); Provider uses app config info to open popup with correct URL, resolves promise with code Adapter Not used Session Not used Your back-end server Posts code (& client secret, etc) to google. Google responds with access_token. Back-end responds with access_token. Get access_token from Google via authorization code grant
Google+ authorization code • Ember code: http://bit.ly/torii-demo-2 • Backend code: http://bit.ly/torii-demo-backend 1. Same setup as before but configure ‘google-oauth2’ provider 2. `torii.open(‘google-oauth2’).then( code… )` 3. Must exchange code for access_token • Possible next steps: • store access_token, refresh_token at back-end • use token to retrieve user or other info from API
Torii Walk-Through: Social Login
Torii Flows Examples Ember App code session.open(‘google-oauth2’).then(() => { // session.isAuthenticated, // session.currentUser is present }) Provider same as google-oauth2 authorization code grant flow Adapter (user-created) torii google-oauth2 adapter’s `open` method is called with auth code. POSTs code to back-end, receives user data, stores user id in localStorage, resolves with user data Session Look up adapter by name (‘google-oauth2’). Call `provider.open`, pass result to `adapter.open` Store result of adapter.open on session Transition state to `isAuthenticated` Your back-end server Exchange code for access_token from google (same as previous flow) Makes authorized request to google for user info. Use user info to log in. Respond with current user data. Social login with Google
Torii Social Login • Code: http://bit.ly/torii-demo-3 • Same setup as authorization code, then 1. Add session service 2. Create application torii-adapter with `open`, `close`, `fetch` methods 3. Add `authenticatedRoute` routes 4. Add `signIn`, `signOut` action • Update backend • Add /sign-in-with-authorization-code endpoint • Add “check login status” endpoint • Add “sign user out” endpoint
Wrap-up
Torii notes • Use Torii providers within ember-simple-auth via `ToriiAuthenticator` • Write your own Torii provider to exchange user/ password credentials with your backend for access token • Contributions welcome!
What’s next for torii? • OpenID Connect support via Albert-Jan Nijburg • OpenID Connect is an authentication protocol built on top of OAuth, adds `id_token` • Fixes security vulnerabilities with using OAuth for authentication • iframe service via Jeremy Green • ember-cli addon
Thanks @bantic Links • Torii: https://github.com/vestorly/torii • OAuth 2 explanation • Authentication with Torii from @MattDangerEddy • OAuth 2.0 Authorization Code Grant Spec • OAuth 2.0 Implicit Grant Spec • ember-simple-auth • Curated links Image Credits • https://www.flickr.com/photos/jpellgen/ • https://upload.wikimedia.org/wikipedia/commons/d/d1/-_Padlock_-.jpg • https://upload.wikimedia.org/wikipedia/commons/thumb/d/d2/Oauth_logo.svg/1021px-Oauth_logo.svg.png

Recommandé

Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryCory Forsyth
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 

Recommandé

Torii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryTorii: Ember.js Authentication Library
Torii: Ember.js Authentication LibraryCory Forsyth
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0Karl McGuinness
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013
Using ArcGIS with OAuth 2.0 - Esri DevSummit Dubai 2013Aaron Parecki
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 PresentationMohamed Ahmed Abdullah
 
Maintest2
Maintest2Maintest2
Maintest2Mohan Kumar Tadikimalla
 
Maintest
MaintestMaintest
MaintestMohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Maintest3Mohan Kumar Tadikimalla
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuthAndy March
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 

Contenu connexe

Tendances

OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2Aaron Parecki
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overviewanikristo
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Functional Imperative
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebRichard Metzler
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 securityvinoth kumar
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroTaylor Singletary
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2Sanjoy Kumar Roy
 

Tendances (18)

OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
Maintest2
Maintest2Maintest2
Maintest2
 
Maintest
MaintestMaintest
Maintest
 
Maintest3
Maintest3Maintest3
Maintest3
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
OAuth
OAuthOAuth
OAuth
 
An Introduction to OAuth2
An Introduction to OAuth2An Introduction to OAuth2
An Introduction to OAuth2
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview(1) OAuth 2.0 Overview
(1) OAuth 2.0 Overview
 
Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0Intro to API Security with Oauth 2.0
Intro to API Security with Oauth 2.0
 
OpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the WebOpenID vs OAuth - Identity on the Web
OpenID vs OAuth - Identity on the Web
 
Oauth 2.0 security
Oauth 2.0 securityOauth 2.0 security
Oauth 2.0 security
 
LinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To HeroLinkedIn OAuth: Zero To Hero
LinkedIn OAuth: Zero To Hero
 
TLDR - OAuth
TLDR - OAuthTLDR - OAuth
TLDR - OAuth
 
An introduction to OAuth 2
An introduction to OAuth 2An introduction to OAuth 2
An introduction to OAuth 2
 

Similaire à Ember Authentication and Authorization with Torii

Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectJacob Combs
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTMobiliya
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportGaurav Sharma
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018Matt Raible
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020Matt Raible
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 

Similaire à Ember Authentication and Authorization with Torii (20)

Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
OAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID ConnectOAuth 2.0 and OpenID Connect
OAuth 2.0 and OpenID Connect
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Stateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWTStateless Auth using OAUTH2 & JWT
Stateless Auth using OAUTH2 & JWT
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
OAuth and Open-id
OAuth and Open-idOAuth and Open-id
OAuth and Open-id
 
Api security
Api security Api security
Api security
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Oauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 supportOauth2 and OWSM OAuth2 support
Oauth2 and OWSM OAuth2 support
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018What the Heck is OAuth and OIDC - UberConf 2018
What the Heck is OAuth and OIDC - UberConf 2018
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
What the Heck is OAuth and OIDC - Denver Developer Identity Workshop 2020
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 

Plus de Cory Forsyth

EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootCory Forsyth
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSCory Forsyth
 
Explaining ES6: JavaScript History and What is to Come
Explaining ES6: JavaScript History and What is to ComeExplaining ES6: JavaScript History and What is to Come
Explaining ES6: JavaScript History and What is to ComeCory Forsyth
 
HAL APIs and Ember Data
HAL APIs and Ember DataHAL APIs and Ember Data
HAL APIs and Ember DataCory Forsyth
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cliCory Forsyth
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for RobotsCory Forsyth
 

Plus de Cory Forsyth (10)

EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning Talk
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
 
Explaining ES6: JavaScript History and What is to Come
Explaining ES6: JavaScript History and What is to ComeExplaining ES6: JavaScript History and What is to Come
Explaining ES6: JavaScript History and What is to Come
 
HAL APIs and Ember Data
HAL APIs and Ember DataHAL APIs and Ember Data
HAL APIs and Ember Data
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cli
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for Everybody
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for Robots
 

Dernier

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Dernier (9)

SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Ember Authentication and Authorization with Torii

  • 5. A tale of two Auths • What is authentication? • Who are you? • What is authorization? • What are you allowed to do?
  • 6. Auth* • Authentication can imply authorization • Since you successfully logged in, you can use the system • Authorization may require authentication • Until I know who you are (authentication), I don’t know what you’re allowed to do
  • 7. Auth* • Authentication and Authorization require context to be meaningful • You can authenticate with one site, but be unauthenticated in the context of another site • You can be authorized by a site to perform an action • You can authorize a client to perform an action for you
  • 8. What is Torii? “A set of clean abstractions for authentication in Ember.js” Original work sponsored by
  • 9. Torii a traditional Japanese gate that symbolically marks the transition from the profane to the sacred
  • 10. Torii: • Designed to: • Make it simple to obtain authorization credentials from 3rd-party OAuth providers • Support use-cases beyond simply log-in • Provide simple building blocks for auth*, be flexible
  • 11. Torii ♥ OAuth • Simplifying the process of obtaining OAuth credentials is Torii’s core goal // Set up: // Create OAuth app at <providerName>. // Modify ember-cli app config. // in app: this.get(‘torii').open(<providerName>) // torii magic happens .then(authData => { // use authData })
  • 12. Torii ♥ OAuth// Set up: // Create OAuth app at <providerName>. // Modify ember-cli app config. // in app: this.get(‘torii').open(<providerName>) // torii magic happens .then(authData => { // use authData }) Use OAuth credentials to: • Connect user account to 3rd parties • Authenticate*, log in user
  • 13. Torii Features • Other Torii features: • Session management • Router DSL for authenticated routes • Torii providers not limited to OAuth
  • 14. Torii primitives • Providers (required) • Adapters (optional) • Session service (optional)
  • 15. Torii Providers • Interface with OAuth provider or other service capable of providing auth* information • Manage the complexity of redirect-based OAuth flows • Some built-in providers: • Google, Facebook, Github, LinkedIn, Stripe
  • 16. Torii Providers Methods: `open` Returns: promise Purpose obtain authorization or authentication credentials
  • 17. Torii Adapters • Adapters • Process the authorization data from providers • E.g. Exchange OAuth credentials to authenticate user • E.g. Hit endpoint to get current user from user token • Persist authentication state • Must be used with the Torii session service
  • 18. Torii Adapters Methods: `open` `fetch` `close` Returns: promise promise promise Purpose use provider’s auth* data to authenticate user, persist authn state determine if user is logged in sign user out, delete persisted authn state
  • 19. Torii Session • Session service is injected onto routes and controllers • Is a state machine • Has `isAuthenticated`, `isWorking`, `currentUser` and some other properties
  • 20. Torii Flows Examples Ember App code torii.open(‘google-oauth2-bearer’). .then(authData => { // authData contains access_token }); Provider uses app config info to open popup with correct URL, resolves promise with authData Adapter Not used Session Not used Your back-end server Not used Get access_token from Google via implicit grant
  • 21. Torii Flows Examples Ember App code torii.open(‘google-oauth2’). .then(authData => { // authData has authorizationCode // POST code to back-end }).then(access_token => { … }); Provider uses app config info to open popup with correct URL, resolves promise with code Adapter Not used Session Not used Your back-end server Posts code (& client secret, etc) to google. Google responds with access_token. Back-end responds with access_token. Get access_token from Google via authorization code grant
  • 22. Torii Flows Examples Ember App code session.open(‘google-oauth2’).then(() => { // session.isAuthenticated, // session.currentUser is present }) Provider same as previous google-oauth2 authorization code flow Adapter (user-created) torii google-oauth2 adapter’s `open` method is called with auth code. POSTs code to back-end, receives user data, stores user id in localStorage, resolves with user data Session Look up adapter by name (‘google-oauth2’). Call `provider.open`, pass result to `adapter.open` Store result of adapter.open on session Transition state to `isAuthenticated` Your back-end server Exchange code for access_token from google (same as previous flow) Make authorized request to google for user info. Use user info to log in. Respond with current user data. Social login with Google
  • 24. OAuth • An Authorization framework • Canonical example: • User wants to print photos • Photos are stored at my-pix.com • User grants authorization to print-me.com to access photos at my-pix.com • Solves the “share my password” anti-pattern
  • 25. OAuth • 1.0: • Uses cryptographic signatures, server-to-server communication • 2.0: • Includes “implicit grant” (front-end only) flow • Includes “authorization code grant” flow • No signatures (encrypted https communication only) • Both: • redirection-based flows
  • 26. OAuth Love Triangle Resource Owner (user) Resource / Authorization Server (my-pix.com) Client (print-me.com) visits1 directs browser to2 consent screen 3 redirects to, with authz in url 4
  • 27. OAuth Love Triangle User e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4
  • 28. OAuth Love Triangle user e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url 4 Torii Provider’s responsibility
  • 29. Torii Provider 4 • “opens popup to” authorization endpoint • Torii builds URL: • Detects redirect from Ember App • reads params from window.location.hash • closes popup, resolves existing `open` promise user e.g. Google+ your ember app visits1 opens popup to2 consent screen 3 redirects to, with authz in url https://accounts.google.com/o/oauth2/auth ?scope=X&state=Y&client_id=Z… http://localhost:4200/#code=xyz http://localhost:4200/#access_token=xyz
  • 30. Challenges of OAuth • OAuth 2.0 is vague — parameter names and responses vary between providers • Torii mitigates this by allowing providers to describe what parameters they use • Torii providers generate the correct URL for the popup • Maintaining state through url redirection is hard for SPAs • Torii uses a popup service and redirect handler so that your app code only sees a single promise resolving with the auth data
  • 31. OAuth • From Torii Provider perspective, “implicit” and “authorization code” grant flows are same • Difference is: resulting value (code or access_token) • access_token: Used for API requests • code: Must be exchanged by back-end for `access_token`, not useful on its own • code may be exchanged for `refresh_token`
  • 33. Torii Flows Examples Ember App code torii.open(‘google-oauth2-bearer’). .then(authData => { // authData contains access_token }); Provider uses app config info to open popup with correct URL, resolves promise with authData Adapter Not used Session Not used Your back-end server Not used Get access_token from Google via implicit grant
  • 34. Google+ access_token • Code: http://bit.ly/torii-demo-1 1. Create app w/ Google 2. Set up configuration for ‘google-oauth2-bearer’ provider 3. `torii.open(‘google-oauth2-bearer’).then( token.. )` • Possible next steps: • pass token to your back-end to use • use token to retrieve user or other info from API
  • 35. Create app with Google http://bit.ly/torii-demo-1
  • 37. Create OAuth2 Creds Pt 2 http://bit.ly/torii-demo-1
  • 38. Create OAuth2 Creds Pt 3 http://bit.ly/torii-demo-1
  • 40. Torii Flows Examples Ember App code torii.open(‘google-oauth2’). .then(authData => { // authData has authorizationCode // POST code to back-end }).then(access_token => { … }); Provider uses app config info to open popup with correct URL, resolves promise with code Adapter Not used Session Not used Your back-end server Posts code (& client secret, etc) to google. Google responds with access_token. Back-end responds with access_token. Get access_token from Google via authorization code grant
  • 41. Google+ authorization code • Ember code: http://bit.ly/torii-demo-2 • Backend code: http://bit.ly/torii-demo-backend 1. Same setup as before but configure ‘google-oauth2’ provider 2. `torii.open(‘google-oauth2’).then( code… )` 3. Must exchange code for access_token • Possible next steps: • store access_token, refresh_token at back-end • use token to retrieve user or other info from API
  • 43. Torii Flows Examples Ember App code session.open(‘google-oauth2’).then(() => { // session.isAuthenticated, // session.currentUser is present }) Provider same as google-oauth2 authorization code grant flow Adapter (user-created) torii google-oauth2 adapter’s `open` method is called with auth code. POSTs code to back-end, receives user data, stores user id in localStorage, resolves with user data Session Look up adapter by name (‘google-oauth2’). Call `provider.open`, pass result to `adapter.open` Store result of adapter.open on session Transition state to `isAuthenticated` Your back-end server Exchange code for access_token from google (same as previous flow) Makes authorized request to google for user info. Use user info to log in. Respond with current user data. Social login with Google
  • 44. Torii Social Login • Code: http://bit.ly/torii-demo-3 • Same setup as authorization code, then 1. Add session service 2. Create application torii-adapter with `open`, `close`, `fetch` methods 3. Add `authenticatedRoute` routes 4. Add `signIn`, `signOut` action • Update backend • Add /sign-in-with-authorization-code endpoint • Add “check login status” endpoint • Add “sign user out” endpoint
  • 46. Torii notes • Use Torii providers within ember-simple-auth via `ToriiAuthenticator` • Write your own Torii provider to exchange user/ password credentials with your backend for access token • Contributions welcome!
  • 47. What’s next for torii? • OpenID Connect support via Albert-Jan Nijburg • OpenID Connect is an authentication protocol built on top of OAuth, adds `id_token` • Fixes security vulnerabilities with using OAuth for authentication • iframe service via Jeremy Green • ember-cli addon
  • 48. Thanks @bantic Links • Torii: https://github.com/vestorly/torii • OAuth 2 explanation • Authentication with Torii from @MattDangerEddy • OAuth 2.0 Authorization Code Grant Spec • OAuth 2.0 Implicit Grant Spec • ember-simple-auth • Curated links Image Credits • https://www.flickr.com/photos/jpellgen/ • https://upload.wikimedia.org/wikipedia/commons/d/d1/-_Padlock_-.jpg • https://upload.wikimedia.org/wikipedia/commons/thumb/d/d2/Oauth_logo.svg/1021px-Oauth_logo.svg.png