Introductions

Twitter @lgleasain Github lgleasain www.lancegleason.com www.polyglotprogrammincinc.com [email protected]

No content

No content

No content

No content

No content

No content

No content

No content

No content

http://www.polyglotprogramminginc.com/purr- programming-2-0/

No content

No content

No content

No content

What Are Services

No content

No content

No content

No content

No content

No content

No content

No content

Why Services

No content

No content

No content

What is Federation

No content

Single Sign On

No content

No content

No content

No content

No content

No content

No content

XML

No content

No content

No content

No content

Authorization and Authentication

Authentication /Authorization

Single Point of Success

Bad For Mixed Use

Complex

Mostly Read Only Content

Half Requires Authenication/ Authorizaztion

Needs To Scale

No content

Bearer Token

No content

No content

No content

No content

No content

No content

No content

Doorkeeper

gem 'doorkeeper' rails generate doorkeeper:install rails generate doorkeeper:migration rake db:migrate

Every Instance Has To Have a Datastore

No content

No content

No content

resource_owner_authenticator do @user = env[:clearance].current_user unless @user session[:return_to] = request.fullpath redirect_to(routes.sign_in_url) end @user end

No content

resource_owner_authenticator do #could be a call to a central authentication service. @user = env[:clearance].current_user unless @user session[:return_to] = request.fullpath redirect_to(routes.sign_in_url) end @user end

No content

No content

module OmniAuth module Strategies autoload :VulcanService, Rails.root.join('lib', 'strategies', 'vulcan_service') autoload :KlingonManager, Rails.root.join('lib', 'strategies', 'klingon_manager') autoload :Bieber, Rails.root.join('lib', 'strategies', 'beiber') end end Rails.application.config.middleware.use OmniAuth::Builder do provider :Vulcan, "#{APP_CONFIG['vulcan_url']}/login" provider :KlingonService, "#{APP_CONFIG['klingon_service_url']}/login" provider :BeiberManager, "#{APP_CONFIG['beiber_manager_url']}/login" provider :developer end

require 'strategies/common' module OmniAuth module Strategies class VulcanService include Common include OmniAuth::Strategy args [:authentication_url] def request_phase # some request code to authenticate # live long and prosper end #todo: add checks to make sure the values returned here are valid def callback_phase request = Rack::Request.new env cookies = request.cookies response = Rack::Response.new cookie_monster = VulcanCookieMonster.new cookies common_vulcan_callback cookie_monster: cookie_monster, response: response, cookies: cookies end private def strategy_id 'comcast_tve' end end end end

No content

No content

No content

Delegation

No content

class ApplicationController < ActionController::API def check_authorization authorization = request.headers[‘Authorization'] if authorization party_response = HTTParty.get("#{APP_CONFIG['doorkeeper_service_url']}:#{ENV[DOORKEEPER_SERVICE_PORT']}/ check_key.json", query: {'signature' => Hancock.sign, 'oauth_token' => authorization}) parsed_response = party_response.parsed_response if parsed_response['user_key'] expires = Marshal.load(parsed_response['expires_at'].force_encoding('UTF-8')).to_json @user = { 'user_id' => parsed_response['user_id'], 'user_key' => parsed_response['user_key'], 'email' => parsed_response['email'], 'expires_at' => expires } else response.status = 401 render json: {authorized: false} and return end end else response.status = 401 render json: {authorized: false} and return end end end

Single Point of Success

Under Load

Cached Delegation

No content

No content

require 'redis' class ApplicationController < ActionController::API def check_authorization authorization = request.headers['Authorization'] if authorization redis = Redis.new(:host => ENV['REDIS_HOST'], :port => ENV['REDIS_PORT']) redis_user = redis.get(authorization) if redis_user != nil @user = JSON.parse(redis_user) expires_at = DateTime.parse(@user['expires_at']) end if !@user or expires_at < DateTime.now party_response = HTTParty.get("#{APP_CONFIG['doorkeeper_service_url']}:#{ENV['DOORKEEPER_SERVICE_PORT']}/check_key.json", query: {'signature' => Hancock.sign, 'oauth_token' => authorization}) parsed_response = party_response.parsed_response if parsed_response['user_key'] expires = Marshal.load(parsed_response['expires_at'].force_encoding('UTF-8')).to_json @user = { 'user_id' => parsed_response['user_id'], 'user_key' => parsed_response['user_key'], 'email' => parsed_response['email'], 'expires_at' => expires } redis.set authorization, @user.to_json else response.status = 401 render json: {authorized: false} and return end end else response.status = 401 render json: {authorized: false} and return end end end

No content

No content

Oauth Sucks

Yeah But….

It’s a Standard

Roll Your Own Is Less Secure

JWT’s Are Roll Your Own

Default Doorkeeper is Too

No content

No content

97

Twitter @lgleasain Github lgleasain www.lancegleason.com www.polyglotprogrammincinc.com [email protected]