OAuth&2.0Because'API

Emberfest)29/08/14

Theodor'Tonum

@theodorton

Developer(@(Skalar

Ember&=>&API

OAuth&101

• Open&standard&for&authoriza2on

• Access&to&a&users'&resources

• Access&tokens&represent&user&creden2als

• Can&limit&access&through&the&use&of&scopes

Allowing(an(applica,on(to(act(on(your(behalf(and(access(

informa,on(from(an(applica,on(that(you(use.

—(gmoore,(Stack(Overflow

Allowing(a(frontend(applica1on(to(act(on(your(

behalf(and(access(informa1on(from(an(API(that(you(use.

OAuth&is&great&for&pla1orms

You$now$have$a$li-leecosystem$of$your$own

Your%applica+on%isa%small%pla/orm

In#house)applica/ons)and)OAuth

Obtaining(an(access(token:The(/token(endpoint

//"POST"/token//"Content-Type:"applica5on/json{""""grant_type:""password",""""username:""foo@example.com",""""password:""none-of-your-business"}//"Response{""""access_token:""my-secret-access-token"}

Implicit(authen.ca.on:The(/me(endpoint

//"GET"/me//"Authoriza1on:"Bearer"my6secret6access6token{""""users:"[{""""""""id:"1,""""""""name:""Foo"Bar",""""""""email:""foo@example.com"""""}]}

The$access$token$must$always$be$included$in$the$Authoriza7on$header.

Ember&libraryember%simple%auth

Third&party+applica.ons+and+OAuth

Obtaining(an(access(token:The(/oauth/authorize(endpoint

var$redirectUri$=$encodeURIComponent("h6p://www.myapp.com/redirect.html");window.loca?on$=$"h6p://www.example.com/oauth/authorize?"+$$"response_type=token&"+$$"client_id=CLIENT_ID&"+$$"scopes=public"+$$"redirect_uri="+redirectUri;

Receiving(the(token

//"Success"returns"to:".../redirect.html#access_token=my:secret:access:token"

//"Fail".../redirect.html#error=access_denied"

Scopes

• Categorizes,resources,(and,ac2ons),you,want,to,protect

• Combina2on,of,nouns,and,verbs

• Presented,to,the,user,in,the,authoriza2on,step

• Examples,from,Github:,user,,public_repo,,delete_repo

Ember&libraryember%oauth2

Authen'ca'on+is+a+means+to+an+end,you+want+access+to+resources

• Not%part%of%the%domain

• Authoriza3on%is%clear%with%its%intent:"I%want%access%to%your%resource%X"

• Makes%perfect%sense%for%third?party%apps

• In?house%apps%are%authorized%by%default%(skip%UI)

• Note:%OAuth%doesn't%replace%Devise%or%whatever%authen3ca3on%library%you%use%on%the%server

Let's&talk&about&pla.orm

Your%data%may%go%places%you've%never%expected

Third&party+applica.ons+are+good

Users%create%their%own%small%applica1ons

IFTTT$&$Zapier$makes$users$into$developers

When%does%it%make%sense?

• The$modern$web$app"You"have"separated"frontend"and"backend"with"an"Ember8app"and"an"API,"and"you"need"a"way"of"authen>ca>ng"with"the"API

• The$pla/orm"You're"building"a"plaBorm,"want"to"let"developers"create"third8party"clients"and"you"care"about"your"users

• Organiza4on"Your"organiza>on"manages"a"several"applica>ons"and"you"want"to"turn"authen>ca>on"and"authoriza>on"into"a"service

Main%problems%with%OAuth?

For$clients:Opinionated$

implementa2ons

For$providers:Opinionated$libraries

Summary• Modern(mechanism(for(auth

• Control(over(third5party(applica8ons

• Made(with(Ember.js(in(mind(5(so(simple!

Ques%ons?