SlideShare a Scribd company logo

Torii: Ember.js Authentication Library

Cory Forsyth
Cory Forsyth

Torii is an authentication service library for use with Ember.js for managing client-side login flows, specifically with third-party OAuth. http://githbu.com/vestorly/torii

InternetTechnology
1 of 38
Download to read offline
Ember Authentication with Torii http://github.com/vestorly/torii
Cory Forsyth @bantic http://github.com/vestorly/torii
201 Created We build õ-age apps with Ember.js. We take teams from £ to • in no time flat.
Stickers! http://github.com/vestorly/torii
http://vestorly.com http://github.com/vestorly/torii Vestorly is pioneering a content discovery app for professionals to use for lead generation / to grow their biz organically
http://github.com/vestorly/torii
Torii a traditional Japanese gate … [that] symbolically marks the transition from the profane to the sacred
How can we authenticate? • Username + password • Devise (user/pass, oauth via omniauth, etc) • OAuth via facebook/twitter/github/linked-in • Hybrid flow (single-page app plus server actions) http://github.com/vestorly/torii
Hybrid flow • HTTP Server serves Ember App (e.g. ember-rails) Server serves HTML with Ember App <html> … <script>App.create()</> … <form action=‘/signin’> … user/pass Server signs user in, serves HTML w/ Ember App _and_ currentUser <html> … <script> App.create(); App.currentUser=! “<% JSON .stringify(@user) %>”;! </script> http://github.com/vestorly/torii
Auth with session token • Separate SPA and API ! Ember app posts user/pass to api: /sessions {token: token} API validates user/ pass, generates and returns session token Ember app stores session token and adds session token as a header to all future API calls user/pass GET /protected_resource header: token API validates token to look up session, returns protected resource
Devise • It manages authentication state for you at the Rack level • What does Devise allow us to not think about? • State — The What, not the How (“current_user?”)
Ember is a State Machine Torii helps manage state as a user moves through authentication transitions Torii is an abstraction of the concept of auth. Your auth code does not need to focus on the How, only the What.
What does Torii not do? • Torii is not a client-side Devise. • Not a replacement for Ember Simple Auth • Does not automatically give you 3rd party login • Does not generate UI • Does not make assumptions about server endpoints
What does Torii do? • Provides a set of primitives for authenticating • Provides lightweight session management (opt-in) • Provides a reusable pattern for client-side OAuth flows (easily add additional OAuth providers) • Unifies different auth options (user/pass, OAuth, etc)
Torii Motivation • Provide promise-based abstraction of messy popup/redirect-based OAuth flows • Handle social login, traditional login (user/pass), and connection of social accounts using the same concepts • Allow for more maintainable auth-related code
Torii’s Primitives • Providers: Any 1st or 3rd party that can authenticate • Popup: Simplify the boilerplate of opening a popup and reading its redirected data • Adapters: Bridge between providers and session • Session: Opt-in, state machine
Torii Primitive: Provider • Responsible for obtaining proof of authentication/ authorization from a 1st or 3rd party (async) • Can be as simple as POSTing user/pass to /api/ session and getting a session token • Can also handle popup-based OAuth redirect flow • Torii Providers must only implement `open`
OAuth overview • Register an app with a redirect url with the OAuth provider. Provider gives a unique app id and app secret. • Visit provider’s page, include your app id (“http:// provider.com/oauth?app_id=X”) • User signs in at provider’s page, provider redirects user to registered redirect url, includes query params with auth data (“…?auth_code=ABC”) • Your server reads the query params and uses the app secret along with the auth code to exchange for an access token aka “password” for the user.
Torii: OAuth Providers
Torii: OAuth Providers
Torii: OAuth Providers redirects to …/?auth_code=ABC132…
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('torii').open('facebook-oauth2')! .then(function(authData)){! !// got the auth code! });!
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup • facebook-oauth2 • linked-in-oauth2 • google-oauth2 • oauth2-code base
Torii Primitive: Popup redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('popup').open(url, keys)! !// opens popup at `url`! !// e.g. 'http://facebook.com/oauth'! ! !// waits until popup reloads! !// this app, and scans its url! !// for `keys`! !// e.g. ‘http://localhost:4200/?auth_code=X'! // closes popup, resolves promise with: ! .then(function(data)){! console.log(data.auth_code); // ‘X’! });!
Torii Primitive: Popup • adds application initializer • detects it is in a popup • calls `deferReadiness` • reads keys from URL • `postMessage`’s to window.open
Torii: Demo Create a simple torii-provider for use against a demonstration OAuth provider. Demonstrate the torii popup reading keys off the URL.
Torii + OAuth: What else? • Torii does not prescribe what to do once you’ve received the code. • Typically, you must complete a secret (aka server- side) exchange with the 3rd-party provider to turn the code into an access token • Some providers (Facebook Connect, Foursquare) will return to you an access token without a server- side exchange
Torii Primitive: Adapter • Torii Adapters are only used by the Torii Session • Adapters are the glue/bridge between torii providers and the session • torii provider -> torii adapter -> session properties • Subclasses must only implement `open`
Torii Primitive: Adapter • Example uses for an adapter: • POST auth information from Facebook to your server to generate a new server-side session • Decorate the client-side session with additional properties • Set an ajax prefilter that adds a header with the session token to all future requests
Torii Primitive: Session • Opt-in via torii configuration `sessionServiceName` • Injects ‘session’ property onto routes and controllers • Session is a state machine and a proxy • isAuthenticated • isOpening
Torii Primitive: Session • Torii’s session is lightweight by design • The session is a proxy for the adapter’s `open` output • Call `session.open(providerName, options)`
Torii: Demo Opt in to the session, create a torii adapter
Torii is an ember-addon • `ember new <app>` • `npm install torii --save-dev` • In routes: `this.get(‘torii’)` • (opt-in to sessions and then:) `this.get(‘session’)`
What’s next for Torii? • Torii-Provider ecosystem • More conventions • Session Management — more or less? • Additional primitive/hooks for OAuth code exchange • Better Devise/omniauth compatibility
Cory Forsyth @bantic Torii: http://github.com/vestorly/torii Vestorly: http://vestorly.com 201 Created: http://201-created.com/ Ember Simple Auth: https://github.com/simplabs/ember-simple-auth See also: flickr credits: jpellgen

Recommended

Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Maintest3Mohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 

Recommended

Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiCory Forsyth
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuthleahculver
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Maintest3Mohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authenticationleahculver
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)112Motion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Oauth
OauthOauth
Oauth立晨 代
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformWSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootCory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSCory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 

More Related Content

What's hot

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHPLorna Mitchell
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHPDavid Ingram
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big PictureApigee | Google Cloud
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)112Motion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big pictureMin Li
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformWSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachTatsuo Kudo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLkulor
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point Thorbjørn Værp
 

What's hot (16)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Oauth
OauthOauth
Oauth
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 

Viewers also liked

Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.jsMatthew Beale
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootCory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSCory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsCory Forsyth
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for RobotsCory Forsyth
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkCory Forsyth
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cliCory Forsyth
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0Cory Forsyth
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2Ido Flatow
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouMark Nottingham
 

Viewers also liked (12)

Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for Everybody
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for Robots
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning Talk
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cli
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
 

Similar to Torii: Ember.js Authentication Library

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Tatsuo Kudo
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbedleahculver
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedMikkel Flindt Heisterberg
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuthUmang Goyal
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignEric Maxwell
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2Khor SoonHin
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеSQALab
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...iXora Solution Ltd.
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeperSergio Marin
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeFastly
 

Similar to Torii: Ember.js Authentication Library (20)

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Api security
Api security Api security
Api security
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Ember and OAuth2
Ember and OAuth2Ember and OAuth2
Ember and OAuth2
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
 
Oauth
OauthOauth
Oauth
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
 

Recently uploaded

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 

Recently uploaded (11)

TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 

Torii: Ember.js Authentication Library

  • 3.
  • 4. 201 Created We build õ-age apps with Ember.js. We take teams from £ to • in no time flat.
  • 6. http://vestorly.com http://github.com/vestorly/torii Vestorly is pioneering a content discovery app for professionals to use for lead generation / to grow their biz organically
  • 8. Torii a traditional Japanese gate … [that] symbolically marks the transition from the profane to the sacred
  • 9. How can we authenticate? • Username + password • Devise (user/pass, oauth via omniauth, etc) • OAuth via facebook/twitter/github/linked-in • Hybrid flow (single-page app plus server actions) http://github.com/vestorly/torii
  • 10. Hybrid flow • HTTP Server serves Ember App (e.g. ember-rails) Server serves HTML with Ember App <html> … <script>App.create()</> … <form action=‘/signin’> … user/pass Server signs user in, serves HTML w/ Ember App _and_ currentUser <html> … <script> App.create(); App.currentUser=! “<% JSON .stringify(@user) %>”;! </script> http://github.com/vestorly/torii
  • 11. Auth with session token • Separate SPA and API ! Ember app posts user/pass to api: /sessions {token: token} API validates user/ pass, generates and returns session token Ember app stores session token and adds session token as a header to all future API calls user/pass GET /protected_resource header: token API validates token to look up session, returns protected resource
  • 12. Devise • It manages authentication state for you at the Rack level • What does Devise allow us to not think about? • State — The What, not the How (“current_user?”)
  • 13. Ember is a State Machine Torii helps manage state as a user moves through authentication transitions Torii is an abstraction of the concept of auth. Your auth code does not need to focus on the How, only the What.
  • 14. What does Torii not do? • Torii is not a client-side Devise. • Not a replacement for Ember Simple Auth • Does not automatically give you 3rd party login • Does not generate UI • Does not make assumptions about server endpoints
  • 15. What does Torii do? • Provides a set of primitives for authenticating • Provides lightweight session management (opt-in) • Provides a reusable pattern for client-side OAuth flows (easily add additional OAuth providers) • Unifies different auth options (user/pass, OAuth, etc)
  • 16. Torii Motivation • Provide promise-based abstraction of messy popup/redirect-based OAuth flows • Handle social login, traditional login (user/pass), and connection of social accounts using the same concepts • Allow for more maintainable auth-related code
  • 17. Torii’s Primitives • Providers: Any 1st or 3rd party that can authenticate • Popup: Simplify the boilerplate of opening a popup and reading its redirected data • Adapters: Bridge between providers and session • Session: Opt-in, state machine
  • 18. Torii Primitive: Provider • Responsible for obtaining proof of authentication/ authorization from a 1st or 3rd party (async) • Can be as simple as POSTing user/pass to /api/ session and getting a session token • Can also handle popup-based OAuth redirect flow • Torii Providers must only implement `open`
  • 19. OAuth overview • Register an app with a redirect url with the OAuth provider. Provider gives a unique app id and app secret. • Visit provider’s page, include your app id (“http:// provider.com/oauth?app_id=X”) • User signs in at provider’s page, provider redirects user to registered redirect url, includes query params with auth data (“…?auth_code=ABC”) • Your server reads the query params and uses the app secret along with the auth code to exchange for an access token aka “password” for the user.
  • 22. Torii: OAuth Providers redirects to …/?auth_code=ABC132…
  • 23. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
  • 24. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
  • 25. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('torii').open('facebook-oauth2')! .then(function(authData)){! !// got the auth code! });!
  • 26. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup • facebook-oauth2 • linked-in-oauth2 • google-oauth2 • oauth2-code base
  • 27. Torii Primitive: Popup redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('popup').open(url, keys)! !// opens popup at `url`! !// e.g. 'http://facebook.com/oauth'! ! !// waits until popup reloads! !// this app, and scans its url! !// for `keys`! !// e.g. ‘http://localhost:4200/?auth_code=X'! // closes popup, resolves promise with: ! .then(function(data)){! console.log(data.auth_code); // ‘X’! });!
  • 28. Torii Primitive: Popup • adds application initializer • detects it is in a popup • calls `deferReadiness` • reads keys from URL • `postMessage`’s to window.open
  • 29. Torii: Demo Create a simple torii-provider for use against a demonstration OAuth provider. Demonstrate the torii popup reading keys off the URL.
  • 30. Torii + OAuth: What else? • Torii does not prescribe what to do once you’ve received the code. • Typically, you must complete a secret (aka server- side) exchange with the 3rd-party provider to turn the code into an access token • Some providers (Facebook Connect, Foursquare) will return to you an access token without a server- side exchange
  • 31. Torii Primitive: Adapter • Torii Adapters are only used by the Torii Session • Adapters are the glue/bridge between torii providers and the session • torii provider -> torii adapter -> session properties • Subclasses must only implement `open`
  • 32. Torii Primitive: Adapter • Example uses for an adapter: • POST auth information from Facebook to your server to generate a new server-side session • Decorate the client-side session with additional properties • Set an ajax prefilter that adds a header with the session token to all future requests
  • 33. Torii Primitive: Session • Opt-in via torii configuration `sessionServiceName` • Injects ‘session’ property onto routes and controllers • Session is a state machine and a proxy • isAuthenticated • isOpening
  • 34. Torii Primitive: Session • Torii’s session is lightweight by design • The session is a proxy for the adapter’s `open` output • Call `session.open(providerName, options)`
  • 35. Torii: Demo Opt in to the session, create a torii adapter
  • 36. Torii is an ember-addon • `ember new <app>` • `npm install torii --save-dev` • In routes: `this.get(‘torii’)` • (opt-in to sessions and then:) `this.get(‘session’)`
  • 37. What’s next for Torii? • Torii-Provider ecosystem • More conventions • Session Management — more or less? • Additional primitive/hooks for OAuth code exchange • Better Devise/omniauth compatibility
  • 38. Cory Forsyth @bantic Torii: http://github.com/vestorly/torii Vestorly: http://vestorly.com 201 Created: http://201-created.com/ Ember Simple Auth: https://github.com/simplabs/ember-simple-auth See also: flickr credits: jpellgen