Auth* in Ember apps
with Torii
03/10/2016 – Ember.js Amsterdam
Slide 2
Slide 2 text
No content
Slide 3
Slide 3 text
No content
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
No content
Slide 7
Slide 7 text
No content
Slide 8
Slide 8 text
Balint Erdi
@baaz
balinterdi
http://balinterdi.com
Slide 9
Slide 9 text
http://rockandrollwithemberjs.com
Slide 10
Slide 10 text
Authentication
Authentication (from Greek: αὐθεντικός
authentikos, "real, genuine," from αὐθέντης
authentes, "author") is the act of confirming the
truth of an attribute of a single piece of data (a
datum) claimed true by an entity.
Slide 11
Slide 11 text
Single piece of data?
I am Balint Erdi (or, more frequently
[email protected])
Slide 12
Slide 12 text
Way of confirmation?
I, and only I, know the secret.
Slide 13
Slide 13 text
Authorization
Authorization is the function of specifying access
rights to resources related to information security
and computer security in general and to access
control in particular.
Slide 14
Slide 14 text
Preconditions
Authentication needs to precede
authorization.
Slide 15
Slide 15 text
(Common) Example
You are authorized to do as you
please with your data.
Slide 16
Slide 16 text
Putting the two auths
together
After authenticating myself against the user
database, I can do with my data as I please.
Slide 17
Slide 17 text
Putting the two auths
together
After authenticating yourself against your
Twitter profile, you have authorized the Pocket
app to post to your timeline.
Slide 18
Slide 18 text
OAuth 2.0
Slide 19
Slide 19 text
After authenticating yourself against your
Twitter profile, you have authorized the Pocket
app to post to your timeline.
Resource owner
Service provider
Consumer
Access scope
Slide 20
Slide 20 text
Implicit grant flow
Slide 21
Slide 21 text
User
Service provider
(Server)
Consumer
Slide 22
Slide 22 text
User
Ember app
Google +
Slide 23
Slide 23 text
User
Ember app
Google +
1
visits
Slide 24
Slide 24 text
User
Ember app
Google +
1 who’s this guy?
2
visits
Slide 25
Slide 25 text
User
Ember app
Google +
1 who’s this guy?
2
visits
who are you? 3
Slide 26
Slide 26 text
User
Ember app
Google +
who are you?
1 who’s this guy?
2
visits
3
I’m Balint 4
Slide 27
Slide 27 text
User
Ember app
Google +
who are you?
1 who’s this guy?
2
visits
3
I’m Balint 4
The app wants these things 5
Slide 28
Slide 28 text
User
Ember app
Google +
who are you?
1 who’s this guy?
2
visits
3
I’m Balint 4
The app wants these things 5
I’m fine with that 6
Slide 29
Slide 29 text
User
Ember app
Google +
I’m fine with that 6
Here, keep this safe
7
Slide 30
Slide 30 text
User
Ember app
Google +
I’m fine with that 6
Thanks, dude.
8
Here, keep this safe
7
Slide 31
Slide 31 text
User
Ember app
Google +
I’m fine with that 6
Thanks, dude.
8
Here, keep this safe
7
Is this token legit?
9
Slide 32
Slide 32 text
User
Ember app
Google +
I’m fine with that 6
Thanks, dude.
8
Here, keep this safe
7
Is this token legit?
9
It sure is.
10
Slide 33
Slide 33 text
User
Ember app
Google +
I’m fine with that 6
Thanks, dude.
8
Here, keep this safe
7
Is this token legit?
9
It sure is.
10
Come on in
11
Slide 34
Slide 34 text
Bearing a token
Slide 35
Slide 35 text
User
Ember app
Google +
1
Is this token still legit?
Slide 36
Slide 36 text
User
Ember app
Google +
1
Is this token still legit?
Dude, you asked me
2 slides ago
2
Slide 37
Slide 37 text
User
Ember app
Google +
1
Is this token still legit?
Dude, you asked me
2 slides ago
2
Come on in
3
Slide 38
Slide 38 text
No content
Slide 39
Slide 39 text
Torii
Slide 40
Slide 40 text
https://github.com/Vestorly/torii
Slide 41
Slide 41 text
Makes it simple to obtain
auth from 3rd party
providers
Slide 42
Slide 42 text
Torii concepts
• Providers
• Adapters
• Session
Slide 43
Slide 43 text
Providers
• They provide authentication services (OAuth:
service providers)
• Some pre-defined ones in Torii
• A single API method: open
• Must return a promise
Slide 44
Slide 44 text
Adapters
• They pass authorization data from providers to the
session
• open, fetch and close
• All must return promises
Slide 45
Slide 45 text
Session
• Stores current authentication state and data
• Proxies all its methods to the specified adapter (for
`open`, first to the provider)
• Contains a state machine (isAuthenticated,
isFetching, etc.)
• Session management is opt-in
Slide 46
Slide 46 text
Router DSL
• Calls `checkLogin` on the application route
• => Initiates the session
• For authenticated routes, triggers `accessDenied` if
session is not authenticated
Slide 47
Slide 47 text
Real-world example
(kind of)
Slide 48
Slide 48 text
Dankuvel!
Slide 49
Slide 49 text
Vragen?
Slide 50
Slide 50 text
References
• Some surprising things about OAuth 2.0
• Torii on Github
• Introduction to Torii – Cory Forsyth’s video
presentation at the Global Ember meetup
• Introduction to Torii – the slides from said presentation
• Using OAuth 2.0 for Client-side Web Apps – With the
Google Identity Platform