Auth* in Ember apps with Torii

Auth* in Ember apps with Torii 03/10/2016 – Ember.js Amsterdam

Balint Erdi @baaz balinterdi http://balinterdi.com

http://rockandrollwithemberjs.com

Authentication Authentication (from Greek: αὐθεντικός authentikos, "real, genuine," from αὐθέντης
authentes, "author") is the act of conﬁrming the truth of an attribute of a single piece of data (a datum) claimed true by an entity.

Single piece of data? I am Balint Erdi (or, more
frequently [email protected])

Way of conﬁrmation? I, and only I, know the secret.

Authorization Authorization is the function of specifying access rights to
resources related to information security and computer security in general and to access control in particular.

Preconditions Authentication needs to precede authorization.

(Common) Example You are authorized to do as you please
with your data.

Putting the two auths together After authenticating myself against the
user database, I can do with my data as I please.

Putting the two auths together After authenticating yourself against your
Twitter proﬁle, you have authorized the Pocket app to post to your timeline.

OAuth 2.0

After authenticating yourself against your Twitter proﬁle, you have authorized
the Pocket app to post to your timeline. Resource owner Service provider Consumer Access scope

Implicit grant ﬂow

User Service provider (Server) Consumer

User Ember app Google +

User Ember app Google + 1 visits

User Ember app Google + 1 who’s this guy? 2
visits

User Ember app Google + 1 who’s this guy? 2
visits who are you? 3

User Ember app Google + who are you? 1 who’s
this guy? 2 visits 3 I’m Balint 4

this guy? 2 visits 3 I’m Balint 4 The app wants these things 5

this guy? 2 visits 3 I’m Balint 4 The app wants these things 5 I’m ﬁne with that 6

User Ember app Google + I’m ﬁne with that 6
Here, keep this safe 7

Thanks, dude. 8 Here, keep this safe 7

Thanks, dude. 8 Here, keep this safe 7 Is this token legit? 9

Thanks, dude. 8 Here, keep this safe 7 Is this token legit? 9 It sure is. 10

Thanks, dude. 8 Here, keep this safe 7 Is this token legit? 9 It sure is. 10 Come on in 11

Bearing a token

User Ember app Google + 1 Is this token still
legit?

legit? Dude, you asked me 2 slides ago 2

legit? Dude, you asked me 2 slides ago 2 Come on in 3

https://github.com/Vestorly/torii

Makes it simple to obtain auth from 3rd party providers

Torii concepts • Providers • Adapters • Session

Providers • They provide authentication services (OAuth: service providers) •
Some pre-deﬁned ones in Torii • A single API method: open • Must return a promise

Adapters • They pass authorization data from providers to the
session • open, fetch and close • All must return promises

Session • Stores current authentication state and data • Proxies
all its methods to the specified adapter (for òpen`, first to the provider) • Contains a state machine (isAuthenticated, isFetching, etc.) • Session management is opt-in

Router DSL • Calls `checkLogin` on the application route •
=> Initiates the session • For authenticated routes, triggers `accessDenied` if session is not authenticated

Real-world example (kind of)

Dankuvel!

Vragen?

References • Some surprising things about OAuth 2.0 • Torii
on Github • Introduction to Torii – Cory Forsyth’s video presentation at the Global Ember meetup • Introduction to Torii – the slides from said presentation • Using OAuth 2.0 for Client-side Web Apps – With the Google Identity Platform

Auth* in Ember apps with Torii

Auth* in Ember apps with Torii

More Decks by Balint Erdi

Other Decks in Technology

Featured

Transcript