oauth 2.0 - because api
DESCRIPTION
Separating traditional web apps often result in an API. In this presentation I argue why OAuth 2.0 is a good addition to your service.TRANSCRIPT
OAuth&2.0Because'API
Emberfest)29/08/14
Theodor'Tonum
@theodorton
Developer(@(Skalar
Ember&=>&API
OAuth&101
• Open&standard&for&authoriza2on
• Access&to&a&users'&resources
• Access&tokens&represent&user&creden2als
• Can&limit&access&through&the&use&of&scopes
Allowing(an(applica,on(to(act(on(your(behalf(and(access(
informa,on(from(an(applica,on(that(you(use.
—(gmoore,(Stack(Overflow
Allowing(a(frontend(applica1on(to(act(on(your(
behalf(and(access(informa1on(from(an(API(that(you(use.
OAuth&is&great&for&pla1orms
You$now$have$a$li-leecosystem$of$your$own
Your%applica+on%isa%small%pla/orm
In#house)applica/ons)and)OAuth
Obtaining(an(access(token:The(/token(endpoint
//"POST"/token//"Content-Type:"applica5on/json{""""grant_type:""password",""""username:""[email protected]",""""password:""none-of-your-business"}//"Response{""""access_token:""my-secret-access-token"}
Implicit(authen.ca.on:The(/me(endpoint
//"GET"/me//"Authoriza1on:"Bearer"my6secret6access6token{""""users:"[{""""""""id:"1,""""""""name:""Foo"Bar",""""""""email:""[email protected]"""""}]}
The$access$token$must$always$be$included$in$the$Authoriza7on$header.
Ember&libraryember%simple%auth
Third&party+applica.ons+and+OAuth
Obtaining(an(access(token:The(/oauth/authorize(endpoint
var$redirectUri$=$encodeURIComponent("h6p://www.myapp.com/redirect.html");window.loca?on$=$"h6p://www.example.com/oauth/authorize?"+$$"response_type=token&"+$$"client_id=CLIENT_ID&"+$$"scopes=public"+$$"redirect_uri="+redirectUri;
Receiving(the(token
//"Success"returns"to:".../redirect.html#access_token=my:secret:access:token"
//"Fail".../redirect.html#error=access_denied"
Scopes
• Categorizes,resources,(and,ac2ons),you,want,to,protect
• Combina2on,of,nouns,and,verbs
• Presented,to,the,user,in,the,authoriza2on,step
• Examples,from,Github:,user,,public_repo,,delete_repo
Ember&libraryember%oauth2
Authen'ca'on+is+a+means+to+an+end,you+want+access+to+resources
• Not%part%of%the%domain
• Authoriza3on%is%clear%with%its%intent:"I%want%access%to%your%resource%X"
• Makes%perfect%sense%for%third?party%apps
• In?house%apps%are%authorized%by%default%(skip%UI)
• Note:%OAuth%doesn't%replace%Devise%or%whatever%authen3ca3on%library%you%use%on%the%server
Let's&talk&about&pla.orm
Your%data%may%go%places%you've%never%expected
Third&party+applica.ons+are+good
Users%create%their%own%small%applica1ons
IFTTT$&$Zapier$makes$users$into$developers
When%does%it%make%sense?
• The$modern$web$app"You"have"separated"frontend"and"backend"with"an"Ember8app"and"an"API,"and"you"need"a"way"of"authen>ca>ng"with"the"API
• The$pla/orm"You're"building"a"plaBorm,"want"to"let"developers"create"third8party"clients"and"you"care"about"your"users
• Organiza4on"Your"organiza>on"manages"a"several"applica>ons"and"you"want"to"turn"authen>ca>on"and"authoriza>on"into"a"service
Main%problems%with%OAuth?
For$clients:Opinionated$
implementa2ons
For$providers:Opinionated$libraries
Summary• Modern(mechanism(for(auth
• Control(over(third5party(applica8ons
• Made(with(Ember.js(in(mind(5(so(simple!
Ques%ons?