Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure API Services in Node with Basic Auth and...

Stormpath
December 10, 2015
Programming
0
18

Secure API Services in Node with Basic Auth and OAuth2

In this presentation, Lead Developer Evangelist Randall Degges will go over how API authentication works via HTTP Basic Auth and OAuth2 (Client Credentials), and will show you how to secure an Express.js API service with both of them using Stormpath!

Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog

Stormpath

December 10, 2015
Tweet

More Decks by Stormpath

See All by Stormpath
RESTful API Development for ASP.NET Core
stormpath
0
220
Build a REST API for your Mobile Apps in Node
stormpath
0
56
Secure Your REST API
stormpath
0
190
How to Use Stormpath in Angular.js
stormpath
0
150
Beautiful REST+JSON APIs with Ion
stormpath
0
160
Storing User Files with Express, Stormpath, and Amazon S3
stormpath
0
31
Instant Security & Scalable User Management with Spring Boot
stormpath
0
190
Custom Data Search with Stormpath
stormpath
0
41
Browser Security 101
stormpath
0
47

Other Decks in Programming

See All in Programming
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
15
2.3k
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
260
RubyLSPのマルチバイト文字対応
notfounds
0
120
Remix on Hono on Cloudflare Workers
yusukebe
1
310
Enabling DevOps and Team Topologies Through Architecture: Architecting for Fast Flow
cer
PRO
0
360
アジャイルを支えるテストアーキテクチャ設計/Test Architecting for Agile
goyoki
9
3.3k
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
120
Tauriでネイティブアプリを作りたい
tsucchinoko
0
380
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110
Missing parts when designing and implementing Android UI
ericksli
0
200
ActiveSupport::Notifications supporting instrumentation of Rails apps with OpenTelemetry
ymtdzzz
1
250
受け取る人から提供する人になるということ
little_rubyist
0
250

Featured

See All Featured
A Modern Web Designer's Workflow
chriscoyier
693
190k
Side Projects
sachag
452
42k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Producing Creativity
orderedlist
PRO
341
39k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
[RailsConf 2023] Rails as a piece of cake
palkan
52
4.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
6
430
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
140
Optimising Largest Contentful Paint
csswizardry
33
2.9k

Transcript

  1. Secure API Services in Node.js

  2. Welcome! • Agenda • Stormpath 101 (5 mins) • How

    to secure an API (25 mins) • Q&A (30 mins) • Claire Hunsaker VP of Marketing & Customer Success • Randall Degges Node.js Evangelist

  3. Customer Identity Poses Major Challenges

  4. Speed to Market & Cost Reduction • Complete Identity solution

    out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance Focus on Your Core Competency

  5. Stormpath User Management User Data User Workflows Google ID Your

    Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML

  6. Features • Secure, flexible Authentication (Password, Token, OAuth, API) •

    Deep Authorization Groups, Roles Customer Organizations Permissions • Customer Profile Data • Single Sign-On Across Your Apps • Hosted User Screens

  7. What’s the Goal of This Talk?

  8. D’oh! API Server(s) API Client API Client API Client API

    Client Internet

  9. API Server(s) API Server(s) Browser / Mobile Web API Client

    Client-to-API Server-to-API

  10. Basic Auth OAuth2 What’s the Goal of This Talk?

  11. About API Keys…

  12. [email protected] iLOVEc00kies! API Server(s) Website

  13. 163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8 API Secret Long, random strings (uuids).

  14. Let Users Have Multiple API Keys Key 1 Key 2

    ID: 3c511ea2ef424dd88bc1575e7e5a2bd7 Secret: 1ae8120c1ec940638913f4e258b8f7fe ID: cc463f7aabfd4132a2211006886d05f1 Secret: 85172ea5aef144038f019b3111b5e11a

  15. Creating API Keys with Stormpath req.user.createApiKey(function(err, apiKey) { if (err)

    throw err; console.log('New API key created!'); console.log('API Key ID:', apiKey.id); console.log('API Key Secret:', apiKey.secret); });

  16. LET’S SET UP STORMPATH!

  17. LET’S WRITE SOME CODE!

  18. How Does Basic Auth Work? API Server(s) Authorization: Basic <base64(id:secret)>

    $ curl --user id:secret http://localhost:3000/api/test

  19. How Does OAuth2 Work? (Step 1) API Server(s) Authorization: Basic

    <base64(id:secret)> Access Token $ curl --user id:secret \ -X POST \ --data grant_type=client_credentials \ http://localhost:3000/oauth/token

  20. How Does OAuth2 Work? (Step 2) API Server(s) Authorization: Bearer

    <token> $ curl -H “Authorization: Bearer <token>” \ http://localhost:3000/api/test

  21. Node & Express Resources • Talking to OAuth2 Services with

    Node.js https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs • What the Heck is OAuth? https://stormpath.com/blog/what-the-heck-is-oauth/ • Stormpath Express Library http://docs.stormpath.com/nodejs/express/latest/ • All Our JavaScript Integrations http://docs.stormpath.com/nodejs/

  22. QUESTIONS?

  23. THANK YOU