Companion slides for Stormpath CTO and Co-Founder Les Hazlewood's Elegant REST Design Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. Whether you’re writing your first API, or just need to figure out that last piece of the puzzle, this is a great opportunity to learn more.
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Designing and building a really clean and intuitive ReST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Build a Node.js Client for Your REST+JSON APIStormpath
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting a Node.js Client purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
Build A Killer Client For Your REST+JSON APIStormpath
REST+JSON APIs are great - but you still need to communicate with them from your code. Wouldn't you prefer to interact with clean and intuitive Java objects instead of messing with HTTP requests, HTTP status codes and JSON parsing? Wouldn't you prefer to work with type-safe objects specific to your API?
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting multiple clients purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
At the Devoxx 2015 conference in Belgium, Guillaume Laforge, Product Ninja & Advocate at Restlet, presented about the never-ending REST API design debate, covering many topics like HTTP status codes, Hypermedia APIs, pagination/searching/filtering, and more.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Designing and building a really clean and intuitive ReST API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP methods to use, HTTP caching, security, and more. And you have to make sure it lasts and doesn’t break clients as you add features over time. Furthermore, although there are many references on creating REST APIs with XML, there are far fewer references on REST + JSON. It is enough to drive you crazy. This session demonstrates how to design and implement an elegant REST API.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Build a Node.js Client for Your REST+JSON APIStormpath
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting a Node.js Client purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
Build A Killer Client For Your REST+JSON APIStormpath
REST+JSON APIs are great - but you still need to communicate with them from your code. Wouldn't you prefer to interact with clean and intuitive Java objects instead of messing with HTTP requests, HTTP status codes and JSON parsing? Wouldn't you prefer to work with type-safe objects specific to your API?
In this presentation, Les Hazlewood - Stormpath CTO and Apache Shiro PMC Chair - will share all of the golden nuggets learned while designing, implementing and supporting multiple clients purpose-built for a real-world REST+JSON API.
Further reading: http://www.stormpath.com/blog
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.
At the Devoxx 2015 conference in Belgium, Guillaume Laforge, Product Ninja & Advocate at Restlet, presented about the never-ending REST API design debate, covering many topics like HTTP status codes, Hypermedia APIs, pagination/searching/filtering, and more.
Companion slides for Stormpath CTO and Co-Founder Les REST API Security Webinar. This presentation covers all the RESTful best practices learned building the Stormpath APIs. This webinar is full of best practices learned building the Stormpath API and supporting authentication for thousands of projects. Topics Include:
- HTTP Authentication
- Choosing a Security Protocol
- Generating & Managing API Keys
- Authorization & Scopes
- Token Authentication with JSON Web Tokens (JWTs)
- Much more...
Stormpath is a User Management API that reduces development time with instant-on, scalable user infrastructure. Stormpath's intuitive API and expert support make it easy for developers to authenticate, manage and secure users and roles in any application.
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
As you go into the cloud, the applications you are building will often be built on service-oriented architectures that communicate through RESTful APIs. Where API design and development used to be an uncommon thing, today it has become a basic application requirement. George Reese will cover the basic considerations in designing and implementing an API for your applications.
George Reese is the author of a number of technology books and a regular speaker on RESTful APIs, cloud computing, Java, and database systems. His most recent books are The REST API Design Handbook and O’Reilly’s Cloud Application Architectures. Professionally, he is the Executive Director of Cloud Computing at Dell as a result of Dell's recent acquisition of Enstratius, a company George co-founded. George has also led a number of Open Source projects, including several MUD libraries and the Imaginary Home home automation libraries for Java. He is also the primary maintainer of Dasein Cloud, a cloud abstraction API for Java.
George holds a BA from Bates College in Maine and an MBA from the Kellogg School of Management at Northwestern University.
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
Instant Security & Scalable User Management with Spring BootStormpath
In this talk, Les Hazlewood, Stormpath CTO and Apache Shiro Chair, goes beyond the traditional way to secure applications and takes a deep dive into how Spring Security + Stormpath gives you an instant, highly-available and highly-secure user management system for Spring Boot applications.
Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns.
Learn how to:
• Apply API access control patterns with existing identity infrastructure
• Support emerging standards such as OAuth, Open ID Connect
• Empower developers to create APIs that reach out to your organisation’s target audience
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
- Building in action automation using HATEOAS
- OAuth 2 in the JavaScript model
- The challenges behind secure resource consumption through JavaScript
At Stormpath we spent 18 months researching API design best practices. Join Les Hazlewood, Stormpath CTO and Apache Shiro Chair, as he explains how to design a secure REST API, the right way. He'll also hang out for a live Q&A session at the end.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Les will cover:
REST + JSON API Design
Base URL design tips
API Security
Versioning for APIs
API Resource Formatting
API Return Values and Content Negotiation
API References (Linking)
API Pagination, Parameters, & Errors
Method Overloading
Resource Expansion and Partial Responses
Error Handling
Multi-tenancy
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
This presentation illustrates the applicability of API keys, OAuth, SAML, OpenID, and a number of proprietary mechanisms such as HMAC signatures for consuming and exposing Web APIs and RESTful web services.
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
Les Hazlewood, Stormpath co-founder and CTO and the Apache Shiro PMC Chair demonstrates how to design a beautiful REST + JSON API. Includes the principles of RESTful design, how REST differs from XML, tips for increasing adoption of your API, and security concerns.
Presentation video: https://www.youtube.com/watch?v=5WXYw4J4QOU
More info: http://www.stormpath.com/blog/designing-rest-json-apis
Further reading: http://www.stormpath.com/blog
Sign up for Stormpath: https://api.stormpath.com/register
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
Beautiful REST and JSON APIs - Les Hazlewoodjaxconf
Designing a really clean and intuitive REST + JSON API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP Methods to use, HTTP Caching, security, and more! And you have to make sure it lasts and doesn't break clients as you add features over time. Further, while there are many references on creating REST APIs with XML, there are many fewer references for REST + JSON.
Slides from Apache Shiro User Group presentation by Les Hazlewood on API design and RESTful API security using Shiro. Demonstrates design and security principles using Stormpath API.
As you go into the cloud, the applications you are building will often be built on service-oriented architectures that communicate through RESTful APIs. Where API design and development used to be an uncommon thing, today it has become a basic application requirement. George Reese will cover the basic considerations in designing and implementing an API for your applications.
George Reese is the author of a number of technology books and a regular speaker on RESTful APIs, cloud computing, Java, and database systems. His most recent books are The REST API Design Handbook and O’Reilly’s Cloud Application Architectures. Professionally, he is the Executive Director of Cloud Computing at Dell as a result of Dell's recent acquisition of Enstratius, a company George co-founded. George has also led a number of Open Source projects, including several MUD libraries and the Imaginary Home home automation libraries for Java. He is also the primary maintainer of Dasein Cloud, a cloud abstraction API for Java.
George holds a BA from Bates College in Maine and an MBA from the Kellogg School of Management at Northwestern University.
A talk given at PHP London on 4th November 2010. This provides an introduction to OAuth and a simplistic PHP implementation of a consumer, as well as a few things to think about when creating a provider.
Instant Security & Scalable User Management with Spring BootStormpath
In this talk, Les Hazlewood, Stormpath CTO and Apache Shiro Chair, goes beyond the traditional way to secure applications and takes a deep dive into how Spring Security + Stormpath gives you an instant, highly-available and highly-secure user management system for Spring Boot applications.
Chief Architect Francois Lascelles presentation from Gluecon 2012. Are you ready to provide APIs that reach out to mobile applications, APIs that connect your applications to the cloud, APIs that connect your applications with your business partners? Recent trends and standards are creating a new generation of API-focused identity patterns.
Learn how to:
• Apply API access control patterns with existing identity infrastructure
• Support emerging standards such as OAuth, Open ID Connect
• Empower developers to create APIs that reach out to your organisation’s target audience
Pragmatic RESTful API principles, along with a solid consumption architecture, can allow for a great amount of automation in your program development. At the same time, securing the application can be extremely tricky from JavaScript.
In this session we will explore several principles behind RESTful API design and consumption using JavaScript, many of the standards that were integrated in the redevelopment of the PayPal API architecture in the new RESTful APIs.
We will cover many of these architecture standards, including:
- Building in action automation using HATEOAS
- OAuth 2 in the JavaScript model
- The challenges behind secure resource consumption through JavaScript
At Stormpath we spent 18 months researching API design best practices. Join Les Hazlewood, Stormpath CTO and Apache Shiro Chair, as he explains how to design a secure REST API, the right way. He'll also hang out for a live Q&A session at the end.
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: http://www.stormpath.com/blog
Les will cover:
REST + JSON API Design
Base URL design tips
API Security
Versioning for APIs
API Resource Formatting
API Return Values and Content Negotiation
API References (Linking)
API Pagination, Parameters, & Errors
Method Overloading
Resource Expansion and Partial Responses
Error Handling
Multi-tenancy
Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management
This presentation illustrates the applicability of API keys, OAuth, SAML, OpenID, and a number of proprietary mechanisms such as HMAC signatures for consuming and exposing Web APIs and RESTful web services.
Super simple application security with Apache ShiroMarakana Inc.
Les Hazlewood, founder of the Apache Shiro project, covers the benefits of using Shiro as an application security framework.
Check out the video for this presentation, as well as more training resources for Java here: http://marakana.com/forums/java/general/183.html
Securing Web Applications with Token AuthenticationStormpath
In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Topics Covered:
Security Concerns for Modern Web Apps
Cross-Site Scripting Prevention
Working with 'Untrusted Clients'
Securing API endpoints
Cookies
Man in the Middle (MitM) Attacks
Cross-Site Request Forgery
Session ID Problems
Token Authentication
JWTs
Working with the JJWT library
End-to-end example with Spring Boot
Les Hazlewood, Stormpath co-founder and CTO and the Apache Shiro PMC Chair demonstrates how to design a beautiful REST + JSON API. Includes the principles of RESTful design, how REST differs from XML, tips for increasing adoption of your API, and security concerns.
Presentation video: https://www.youtube.com/watch?v=5WXYw4J4QOU
More info: http://www.stormpath.com/blog/designing-rest-json-apis
Further reading: http://www.stormpath.com/blog
Sign up for Stormpath: https://api.stormpath.com/register
Stormpath is a user management and authentication service for developers. By offloading user management and authentication to Stormpath, developers can bring applications to market faster, reduce development costs, and protect their users. Easy and secure, the flexible cloud service can manage millions of users with a scalable pricing model.
Beautiful REST and JSON APIs - Les Hazlewoodjaxconf
Designing a really clean and intuitive REST + JSON API is no small feat. You have to worry about resources, collections of resources, pagination, query parameters, references to other resources, which HTTP Methods to use, HTTP Caching, security, and more! And you have to make sure it lasts and doesn't break clients as you add features over time. Further, while there are many references on creating REST APIs with XML, there are many fewer references for REST + JSON.
MongoDB World 2019: Terraform New Worlds on MongoDB Atlas MongoDB
MongoDB Atlas, MongoDB's database as a service platform, has made it faster and easier than ever to use MongoDB and as teams find their Atlas "flow" they smartly want to automate it to increase developer velocity. Many are creating this kind of automation with HashiCorp's Terraform so let's bring these two great platforms together! We'll look at the resources provided by the Atlas API and then I'll show how to automate a flow securely with a Terraform Provider for Atlas. We will end by covering how MongoDB is making this experience even better going forward.
The web has changed! Users spend more time on mobile than on desktops and they expect to have an amazing user experience on both platforms. APIs are the heart of the new web as the central point of access data, encapsulating logic and providing the same data and same features for desktops and mobiles.
In this talk, I will show you how in only 45 minutes we can create full REST API, with documentation and admin application build with React.
Automating Cloud Operations - Everything you wanted to know about cURL and RE...Revelation Technologies
All cloud service providers support seamless cloud automation and management through a REST API architecture allowing for single tasks or complex multi-step orchestrations to be created. REST has become the de facto standard for these cloud interfaces because of its ease of us, communication over HTTP, and wide support of nearly all programming languages and operating systems.
Where do you start? How do you decipher the API documentation? Where do you authenticate? And how do you create cloud resources programmatically?
This presentation walks through the fundamentals of REST, how its invoked through cURL, as well as a live demonstration of the automated provisioning of Oracle Cloud services through cURL/REST.
Web services tutorial slides from my session at DPC 2012 in Amsterdam. In this 3-hour session we built the simplest possible service, and then extended it, looking at RPC, REST and SOAP along the way.
OSDC 2015: Mitchell Hashimoto | Automating the Modern Datacenter, Development...NETWAYS
Physical, virtual, containers. Public cloud, private cloud, hybrid cloud. IaaS, PaaS, SaaS. These are the choices that we're faced with when architecting a datacenter of today. And the choice is not one or the other; it is often a combination of many of these. How do we remain in control of our datacenters? How do we deploy and configure software, manage change across disparate systems, and enforce policy/security? How do we do this in a way that operations engineers and developers alike can rejoice in the processes and workflow?
In this talk, I will discuss the problems faced by the modern datacenter, and how a set of open source tools including Vagrant, Packer, Consul, and Terraform can be used to tame the rising complexity curve and provide solutions for these problems.
As presented at ZendCon, Confoo, LaraconEU, ZgPHP, PFCongres and Fronteers User Group. An overview of some intermediate level HTTP features and how they might be useful in practice.
AWS user group Serverless in September - Chris Johnson Bidler "Go Serverless ...AWS Chicago
September 19th joint meetup with Serverless Chicago user group at RedShelf - Serverless in AWS.
"Go Serverless from your iPad: Building a Data-driven REST API with AWS CodeStar, Lambda, and Cognitect’s Datomic and Vase" - Chris Johnson Bidler, CTO at Centriq Technology, Inc
API management with Taffy and API BlueprintKai Koenig
Introduction to API development with Taffy, a developer-friendly and convention-based framework for ColdFusion and Lucee.
Code samples at: https://github.com/TheRealAgentK/taffydemos
(SEC309) Amazon VPC Configuration: When Least Privilege Meets the Penetration...Amazon Web Services
Enterprises trying to deploy infrastructure to the cloud and independent software companies trying to deliver a service have similar problems to solve. They need to know how to create an environment in AWS that enforces least-privilege access between components while also allowing administration and change management. Amazon Elastic Cloud Compute (EC2) and Identity and Access Management (IAM), coupled with services like AWS Security Token Service (STS), offer the necessary building blocks. In this session, we walk through some of the mechanisms available to control access in an Amazon Virtual Private Cloud (VPC). Next, we focus on using IAM and STS to create a least-privilege access model. Finally, we discuss auditing strategies to catch common mistakes and discuss techniques to audit and maintain your infrastructure.
The Ultimate Guide to Mobile API SecurityStormpath
Join Stormpath Developer Evangelist Edward Jiang to learn more about the common ways developers authenticate users in their mobile apps, what to watch out for when building your backend API and mobile apps, and how to integrate a secure user datastore to manage your users and authentication.
Join Stormpath Java Developer Evangelist, Matt Raible, to learn how to build apps using Angular. You will learn about the tools you need to setup a project, how to run/debug your app, and how to deploy it to the cloud. You’ll also learn about new concepts in Angular 2+.
Building Beautiful REST APIs with ASP.NET CoreStormpath
Join Stormpath .NET Developer Evangelist, Nate Barbettini, to learn best practices for designing your REST API in ASP.NET Core. Nate will explain how to build HATEOS-compliant JSON APIs while supporting security best practices and even improving performance and scale.
Topics Covered:
What is REST and HATEOS?
How to think about RESTful APIs
How to model hypermedia in C#
Building JSON APIs in ASP.NET Core
Build a REST API for your Mobile Apps using Node.jsStormpath
Join Stormpath Developer Evangelist, Edward Jiang, to learn how to build your first REST API using Node.js, and connect it to an iOS or Android app. He’ll cover everything you need to know to about building an API and take you through an example with live code samples.
REST API Security: OAuth 2.0, JWTs, and More!Stormpath
Les Hazlewood, Stormpath CTO, already showed you how to build a Beautiful REST+JSON API, but how do you secure your API? At Stormpath, we spent 18 months researching best practices. Join Les as he explains how to secure your REST API, the right way. We'll also host a live Q&A session at the end.
Slides from Micah Silverman's, Stormpath Developer Evangelist, webinar on using JWTs to protect against CSRF as well as to secure communications between microservices. Micah shows how JWTs can be used to secure web applications built with Java and protect from 'unsafe' clients.
Storing User Files with Express, Stormpath, and Amazon S3Stormpath
Join Stormpath Developer Evangelist, Randall Degges, to learn how to store user files using Amazon S3. He’ll cover everything you need to know to properly handle user files in your web applications.
Randall will cover:
- What is the problem we're trying to solve?
- How files are typically stored
- What you need to know about Amazon S3
- How to build a basic Express application with user authentication
- How to securely store files in S3 using express-stormpath-s3
- Q/A Session
Join Stormpath Head of Product, Tom Abbott, to demo our new custom data search feature, answering any questions along the way. The demo will cover how to store, update, and retrieve the contents of custom data objects. This is a great way for current users to ramp up on this powerful, and much-anticipated feature.
Topics Covered:
- Storing and updating custom data
- What you can store
- Retrieving custom data
- Custom data search queries
Building Beautiful REST APIs in ASP.NET CoreStormpath
Core 1.0 is the latest iteration of ASP.NET. What’s changed? Everything! Nate Barbettini, .NET Developer Evangelist at Stormpath, does a deep dive on how to build RESTful APIs the right way on top of ASP.NET Web API.
Join Stormpath Developer Evangelist, Robert Damphousse, to dive deep into browser security. Robert will explain how Session IDs, Man in the Middle (MITM), Cross-Site Scripting (XSS), and Cross-Site Request Forgery (CSRF) attacks work, and how to use cookies to support security best practices.
Topics Covered:
- Security concerns for modern web apps
- Cookies, the right way
- MITM, XSS, and CSRF attacks
- Session ID problems
- Examples in an Angular app
Stormpath Java Developer Evangelist, Micah Silverman, takes a deep dive into using JWTs to protect microservices from CSRF and more. Micah will explain how JWTs can be used to secure web applications built with Java, OAuth2 and JWTs, and 'unsafe' clients, while supporting security best practices and even improving application performance and scale.
Stormpath .NET Developer Evangelist, Nate Barbettini, presents Token Authentication with ASP.NET Core. Nate will explain how Token Authentication can be used to secure web applications built with ASP.NET Core, REST APIs, and 'unsafe' clients while supporting security best practices and even improving performance and scale.
Mobile Authentication for iOS Applications - Stormpath 101Stormpath
Want to build user authentication into your iOS apps quickly and securely?
In this presentation, iOS Developer Evangelist Edward Jiang will go over OAuth, best practices, and how to easily integrating Facebook, Google, and email logins into your app using Stormpath's iOS SDK!
Topics Covered:
- Stormpath Customer Identity Management
- What does authentication mean?
- Common methods of mobile authentication
- OAuth Token Authentication
- Building Login & Registration with Stormpath
- Making authenticated network requests
- Add Facebook / Google login with one line of code
- Technical Q&A
Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog
Join Stormpath Java Developer Evangelist Micah Silverman for a technical overview of the common pain points with Java authentication. We'll cover how to solve them with Stormpath in a Spring Boot application, and demonstrate how to quickly add a complete user management system to your Spring Boot app. By the end of this webinar, you’ll be on your way to a fully functioning Spring Boot app backed by Stormpath.
Topics Covered:
Authentication Pain Points in Java Stormpath, Spring Boot, and Your Architecture
Demo:
Auth in Spring Boot, with these features:
A complete user registration and login system
Pre-built login screens
Password reset workflows
Group-based authorization
Advanced user features: API authentication, Single Sign-On, social login, and more Technical Q&A
In this presentation, Java Developer Evangelist Micah Silverman will show you how to “Write Once, Run Any Tenant”. With a single application and some configuration in Stormpath’s Admin Console, your application will be able to support multiple Organizations of users.
This is great for SaaS applications who need to securely partition their Customer organizations; each Organization will have no knowledge of or access to the others.
By the end of this webinar, you’ll be on your way to a fully functioning Spring Boot app with Multi-Tenancy backed by Stormpath.
Topics Covered:
Stormpath Customer Identity Management
Why Build a Multi-Tenant Application?
Quickstart on setting up Multi-Tenancy in your Spring Boot application including:
Configuring Authentication using Subdomains
Setting up Organizations, Directories, and Accounts
Enabling the Stormpath Application for Authentication and Authorization
Configuring ID Site for pre-built Authentication workflows
Tying it all together with only one instance of your Spring Boot application running
Technical Q&A
Multi-Tenancy with Subdomains + Spring Boot: https://stormpath.com/blog/idsite-multi-tenancy/
Multi-Tenancy Code Example: https://github.com/stormpath/stormpath-java-idsite-multi-tenant-example
Stormpath Java SDK: https://github.com/stormpath/stormpath-sdk-java
All The Stormpath Java Integrations: http://docs.stormpath.com/java/
Secure API Services in Node with Basic Auth and OAuth2Stormpath
In this presentation, Lead Developer Evangelist Randall Degges will go over how API authentication works via HTTP Basic Auth and OAuth2 (Client Credentials), and will show you how to secure an Express.js API service with both of them using Stormpath!
Stormpath 101: Spring Boot + Spring SecurityStormpath
In this presentation, Java Developer Evangelist Micah Silverman will go over common pain points with Java authentication and how to solve them using Stormpath, Spring Boot, and Spring Security!
Token Authentication for Java ApplicationsStormpath
Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments?
This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.
Single Page Apps bring a unique set of concerns to authentication and user management. Robert Damphousse, lead Javascript engineer at Stormpath, will show you how to use Stormpath to secure an Angular.js app with any backend: Java, Node, PHP, .NET and more!
Robert will deep dive into Angular.js authentication best practices and an extended technical example. Join us!
Topics Covered:
- Authentication in Single Page Apps (SPA)
- Using JWTs instead of Session IDs
- Secure Cookie storage
- Cross-Origin Resource Sharing
- Where does Stormpath fit in your architecture?
- End-to-end example with Angular.js + Express.js
- Password-based registration and login
- How to secure your API endpoints
- Implement User Authorization
- Design for a frictionless User Experience
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
With new tools like Angular.js and Node.js, it is easier than ever to build User Interfaces and Single-Page Applications (SPAs) backed by APIs.
But how to do it securely? Web browsers are woefully insecure, and hand-rolled APIs are risky.
In this presentation, Robert Damphousse, lead front-end developer at Stormpath, covers web browser security issues, technical best practices and how you can mitigate potential risks. Enjoy!
Topics Covered:
1. Security Concerns for Modern Web Apps
2. Cookies, The Right Way
3. Session ID Problems
4. Token Authentication to the rescue!
5. Angular Examples
4. .com
• User Management and Authentication
API
• Security for your applications
• User security workflows
• Security best practices
• Developer tools, SDKs, libraries
Learn more at Stormpath.com
5. Outline
• APIs, REST & JSON
• REST Fundamentals
• Design
Base URL
Versioning
Resource Format
Return Values
Content Negotiation
References (Linking)
Pagination
Query Parameters
Associations
Errors
IDs
Method Overloading
Resource Expansion
Partial Responses
Caching & Etags
Security
Multi Tenancy
Maintenance
Batch Operations
Learn more at Stormpath.com
26. POST as Create
On a parent resource
POST /applications
{
“name”: “Best App Ever”
}
Response:
201 Created
Location: https://api.stormpath.com/applications/a1b2c3
Learn more at Stormpath.com
27. POST as Update
On instance resource
POST /applications/a1b2c3
{
“name”: “Best App Ever. Srsly.”
}
Response:
200 OK
Learn more at Stormpath.com
38. Media Type
Don’t go overboard!
Media Type != Schema!
Most only need 2 or 3 custom media types:
• instance resource
• collection resource
application/foo+json
application/foo2+json;bar=baz
…
Learn more at Stormpath.com
39. camelCase
‘JS’ in ‘JSON’ = JavaScript
myArray.forEach
Not myArray.for_each
account.givenName
Not account.given_name
Underscores for property/function names are
unconventional for JS. Stay consistent.
Learn more at Stormpath.com
40. Date/Time/Timestamp
There’s already a standard. Use it: ISO 8601
Example:
{
…,
“createdAt”: “2013-07-10T18:02:24.343Z”,
...
}
Use UTC!
Learn more at Stormpath.com
42. createdAt / updatedAt
Most people will want this at some point
{
…,
“createdAt”: “2013-07-10T18:02:24.343Z”,
“updatedAt”: “2014-09-29T07:02:48.761Z”
}
Use UTC!
Learn more at Stormpath.com
44. GET obvious
What about POST?
Return the representation in the response
when feasible.
Add override (?_body=false) for control
Learn more at Stormpath.com
46. Header
• Accept header
• Header values comma delimited in order
of preference
GET /applications/a1b2c3
Accept: application/json, text/plain
Learn more at Stormpath.com
48. HREF
• Distributed Hypermedia is paramount!
• Every accessible Resource has a
canonical unique URL
• Replaces IDs (IDs exist, but are opaque).
• Critical for linking
Learn more at Stormpath.com
49. Links in JSON
• Tricky in JSON
• XML has it (XLink), JSON doesn’t
• How do we do it?
Learn more at Stormpath.com
50. Instance w/ HREF
GET /accounts/x7y8z9
200 OK
{
“meta”: {
“href”:“https://api.stormpath.com/v1/accounts/x7y8z9”,
“mediaType”: “application/json;version=2&schema=...”,
...
}
“givenName”: “Tony”,
“surname”: “Stark”,
...
}
Learn more at Stormpath.com
61. Collections
• A first class resource ‘citizen’
• Own href / metadata
• Own properties
• Different from all other collections
Learn more at Stormpath.com
62. GET /accounts/x7y8z9/groups
200 OK
{
“meta”: { ... },
“offset”: 0,
“limit”: 25,
“size”: 289,
“first”: {“meta”:{“href”:“.../accounts/x7y8z9/groups?offset=0”}},
“previous”: null,
“next”: {“meta”:{“href”:“.../accounts/x7y8z9/groups?offset=25”}},
“last”: {“meta”:{“href”:“...”}},
“items”: [
{
“meta”: { “href”:“...”, ...}
},
…
]
}
Learn more at Stormpath.com
71. Search cont’d
• Filter search
.../accounts?q=some+value
• Attribute Search
.../accounts?surname=Joe&email=*company.c
om
Learn more at Stormpath.com
72. Search cont’d
• Starts with
?email=joe*
• Ends with
?email=*company.com
• Contains
?email=*foo*
Learn more at Stormpath.com
73. Search cont’d
• Range queries
“all accounts created between September 1st
and the 15th, inclusive”
.../accounts?createdAt=[2014-09-
01,2014-09-15]
Learn more at Stormpath.com
75. Group to Account
• A group can have many accounts
• An account can be in many groups
• Each mapping is a resource:
GroupMembership
Learn more at Stormpath.com
83. • Each batch reflects a resource
• Batches are likely to be a collection
• Batches are likely to have a status
• Batch deletes easier than create/update
Learn more at Stormpath.com
84. Batch Delete
“Delete all company.com accounts”
DELETE /accounts?
email=*@company.com
Learn more at Stormpath.com
85. Batch Create / Update
Already have a Collection concept. Use it.
Learn more at Stormpath.com
86. Batch Create or Update
POST /accounts
{
“items”: [
{ ... account 1 ... },
{ ... account 2 ... },
...
]
}
Learn more at Stormpath.com
89. • As descriptive as possible
• As much information as possible
• Developers are your customers
Learn more at Stormpath.com
90. POST /directories
409 Conflict
{
“status”: 409,
“code”: 40924,
“property”: “name”,
“message”: “A Directory named ‘Avengers’
already exists.”,
“developerMessage”: “A directory named
‘Avengers’ already exists. If you have a stale
local cache, please expire it now.”,
“moreInfo”:
“https://www.stormpath.com/docs/api/errors/4092
4”
}
Learn more at Stormpath.com
92. Avoid sessions when possible
Authenticate every request if necessary
Stateless
Authorize based on resource content, NOT URL!
Use Existing Protocol:
Oauth 1.0a, Oauth2, Basic over SSL only
Custom Authentication Scheme:
Only if you provide client code / SDK
Only if you really, really know what you’re doing
Use API Keys instead of Username/Passwords
Learn more at Stormpath.com
93. 401 vs 403
• 401 “Unauthorized” really means
Unauthenticated
“You need valid credentials for me to respond to
this request”
• 403 “Forbidden” really means Unauthorized
“I understood your credentials, but so sorry, you’re
not allowed!”
Learn more at Stormpath.com
94. HTTP Authentication Schemes
• Server response to issue challenge:
WWW-Authenticate: <scheme name>
realm=“Application Name”
• Client request to submit credentials:
Authorization: <scheme name> <data>
Learn more at Stormpath.com
95. API Keys
• Entropy
• Password Reset
• Independence
• Scope
• Speed
• Limited Exposure
• Traceability
Learn more at Stormpath.com
97. • IDs should be opaque
• Should be globally unique
• Avoid sequential numbers (contention,
fusking)
• Good candidates: UUIDs, ‘Url64’
Learn more at Stormpath.com
101. Server (initial response):
ETag: "686897696a7c876b7e”
Client (later request):
If-None-Match: "686897696a7c876b7e”
Server (later response):
304 Not Modified
Learn more at Stormpath.com
103. Use HTTP Redirects
Create abstraction layer / endpoints when
migrating
Use well defined custom Media Types
Learn more at Stormpath.com
104. • User Management & Authentication
• API Security & Access Management
• Eliminate months of development
• Automatic security best practices
Coming Soon!
Loopback support