Single Page Apps bring a unique set of concerns to authentication and user management. Robert Damphousse, lead Javascript engineer at Stormpath, will show you how to use Stormpath to secure an Angular.js app with any backend: Java, Node, PHP, .NET and more!
Robert will deep dive into Angular.js authentication best practices and an extended technical example. Join us!
Topics Covered:
- Authentication in Single Page Apps (SPA)
- Using JWTs instead of Session IDs
- Secure Cookie storage
- Cross-Origin Resource Sharing
- Where does Stormpath fit in your architecture?
- End-to-end example with Angular.js + Express.js
- Password-based registration and login
- How to secure your API endpoints
- Implement User Authorization
- Design for a frictionless User Experience
1. How to Use Stormpath in
Angular.js
Robert Damphousse @robertjd_
Lead Front-End Developer, Stormpath
2. About Stormpath
• User Management API for Developers
• Password security
• Authentication and Authorization
• LDAP Cloud Sync
• Instant-on, scalable, and highly available
• Free for developers
3. Talk Overview
• Authentication in Single Page Apps (SPAs)
• JWTs instead of Session IDs
• Securing cookies
• Where does Stormpath fit in your architecture?
• End-to-end example with Angular.js +
Express.js
4. SPAs – What’s different?
• Data resources are treated differently than
application resources (HTML/CSS/JS assets
are separated from data resources)
• Forces you to build a proper API, likely a
REST + JSON API
• User Experience (UX) gets a spotlight
5. SPAs – What’s the same?
• Browser JavaScript is an untrusted
environment!
• Your server is responsible for resource
authentication and authorization
• You CAN use Cookies for authentication
6. SPAs – Authentication Strategies
• Session identifiers – opaque string in a
cookie. You CAN use this strategy
• Access Tokens are better – JWT
7. JSON Web Tokens (JWT)
• Used to persist authentication assertions
• Signed, structured
• Should be stored in cookies, not local
storage
9. Why Cookies?
• Automatically supplied on every request
• HttpOnly flag prevents the JS environment
from accessing the cookie
• Secure flag ensures the cookie is only
transmitted over HTTPS
• Can restrict by subdomain and path
10. Why Not Local Storage?
• Exposed to JS environment, whereas
HttpOnly cookies are not.
• Can’t restrict visibility by path, only
subdomain
• https://www.owasp.org/index.php/HTML5_S
ecurity_Cheat_Sheet#Storage_APIs
11. Securing Cookies
• Use the HttpOnly and Secure flags.
• Need to protect against Cross-Site Request
Forgery (CSRF) attacks
• https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)
13. Your Server
Stormpath SDK
User’s Web
Browser
(SPA)
Stormpath
Angular SDK
Stormpath
HTTP API
Architecture Overview
Token Authentication
(JWT)
Stormpath API
Key Authentication
16. Server-Side:
• Create the Stormpath Middleware
• Attach the default route handlers
• Use specific middleware for API
Authentication
Stormpath, Angular & Your Architecture
17. Server-Side: Create the Middleware
var app = express();
var stormpathSdk = require('stormpath-sdk-express');
var spMiddleware = stormpathSdk.createMiddleware();
19. Server-Side: Use API Authentication
app.use('/api/*', spMiddleware.authenticate);
20. Client-Side:
• Add the Stormpath Angular SDK to your
Angular application
• Configure UI Router integration
• Use directives for built-in forms
• Use UI Router config for view authorization
Stormpath, Angular & Your Architecture
21. Client-Side: Add the SDK Dependencies
Stormpath, Angular & Your Architecture
angular.module('MyApplication', [
'ngCookies',
'ngResource',
'ngSanitize',
'ui.router',
'stormpath',
'stormpath.templates'
])
29. Client-Side: Behind the Scenes..
• On login: Stormpath Express SDK sends a
JWT to Angular, stored in a secure cookie
• Browser automatically supplies JWT cookie
on all requets
• /me route is served by SDK, so that Angular
can know context about current user
30. Recap..
• Stormpath SDK on your server and in your SPA
• JWTs are used instead of sessions
• Angular SDK provides directives for forms and
authentication state
• Angular SDK will work with any backend
• User data is stored and secured behind the Stormpath API
31. Stormpath for Authentication & User Management
Stormpath can handle authentication and authorization for
your API, SPA or mobile app, as well as a range of advanced
user features
• Single Sign-On Across Your Apps
• API Authentication & Key Management
• Token Based Authentication
• Oauth Workflows
• JWTs
Implementations in your Library of choice:
https://docs.stormpath.com/home/
32. Get started with your free Stormpath
developer account!
https://api.stormpath.com/register
Questions?
support@stormpath.com