SlideShare a Scribd company logo

Torii: Ember.js Authentication Library

Cory Forsyth
Cory Forsyth

Torii is an authentication service library for use with Ember.js for managing client-side login flows, specifically with third-party OAuth. http://githbu.com/vestorly/torii

InternetTechnology
1 of 38
Download to read offline
Ember Authentication with Torii http://github.com/vestorly/torii
Cory Forsyth @bantic http://github.com/vestorly/torii
201 Created We build õ-age apps with Ember.js. We take teams from £ to • in no time flat.
Stickers! http://github.com/vestorly/torii
http://vestorly.com http://github.com/vestorly/torii Vestorly is pioneering a content discovery app for professionals to use for lead generation / to grow their biz organically
http://github.com/vestorly/torii
Torii a traditional Japanese gate … [that] symbolically marks the transition from the profane to the sacred
How can we authenticate? • Username + password • Devise (user/pass, oauth via omniauth, etc) • OAuth via facebook/twitter/github/linked-in • Hybrid flow (single-page app plus server actions) http://github.com/vestorly/torii
Hybrid flow • HTTP Server serves Ember App (e.g. ember-rails) Server serves HTML with Ember App <html> … <script>App.create()</> … <form action=‘/signin’> … user/pass Server signs user in, serves HTML w/ Ember App _and_ currentUser <html> … <script> App.create(); App.currentUser=! “<% JSON .stringify(@user) %>”;! </script> http://github.com/vestorly/torii
Auth with session token • Separate SPA and API ! Ember app posts user/pass to api: /sessions {token: token} API validates user/ pass, generates and returns session token Ember app stores session token and adds session token as a header to all future API calls user/pass GET /protected_resource header: token API validates token to look up session, returns protected resource
Devise • It manages authentication state for you at the Rack level • What does Devise allow us to not think about? • State — The What, not the How (“current_user?”)
Ember is a State Machine Torii helps manage state as a user moves through authentication transitions Torii is an abstraction of the concept of auth. Your auth code does not need to focus on the How, only the What.
What does Torii not do? • Torii is not a client-side Devise. • Not a replacement for Ember Simple Auth • Does not automatically give you 3rd party login • Does not generate UI • Does not make assumptions about server endpoints
What does Torii do? • Provides a set of primitives for authenticating • Provides lightweight session management (opt-in) • Provides a reusable pattern for client-side OAuth flows (easily add additional OAuth providers) • Unifies different auth options (user/pass, OAuth, etc)
Torii Motivation • Provide promise-based abstraction of messy popup/redirect-based OAuth flows • Handle social login, traditional login (user/pass), and connection of social accounts using the same concepts • Allow for more maintainable auth-related code
Torii’s Primitives • Providers: Any 1st or 3rd party that can authenticate • Popup: Simplify the boilerplate of opening a popup and reading its redirected data • Adapters: Bridge between providers and session • Session: Opt-in, state machine
Torii Primitive: Provider • Responsible for obtaining proof of authentication/ authorization from a 1st or 3rd party (async) • Can be as simple as POSTing user/pass to /api/ session and getting a session token • Can also handle popup-based OAuth redirect flow • Torii Providers must only implement `open`
OAuth overview • Register an app with a redirect url with the OAuth provider. Provider gives a unique app id and app secret. • Visit provider’s page, include your app id (“http:// provider.com/oauth?app_id=X”) • User signs in at provider’s page, provider redirects user to registered redirect url, includes query params with auth data (“…?auth_code=ABC”) • Your server reads the query params and uses the app secret along with the auth code to exchange for an access token aka “password” for the user.
Torii: OAuth Providers
Torii: OAuth Providers
Torii: OAuth Providers redirects to …/?auth_code=ABC132…
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('torii').open('facebook-oauth2')! .then(function(authData)){! !// got the auth code! });!
Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup • facebook-oauth2 • linked-in-oauth2 • google-oauth2 • oauth2-code base
Torii Primitive: Popup redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('popup').open(url, keys)! !// opens popup at `url`! !// e.g. 'http://facebook.com/oauth'! ! !// waits until popup reloads! !// this app, and scans its url! !// for `keys`! !// e.g. ‘http://localhost:4200/?auth_code=X'! // closes popup, resolves promise with: ! .then(function(data)){! console.log(data.auth_code); // ‘X’! });!
Torii Primitive: Popup • adds application initializer • detects it is in a popup • calls `deferReadiness` • reads keys from URL • `postMessage`’s to window.open
Torii: Demo Create a simple torii-provider for use against a demonstration OAuth provider. Demonstrate the torii popup reading keys off the URL.
Torii + OAuth: What else? • Torii does not prescribe what to do once you’ve received the code. • Typically, you must complete a secret (aka server- side) exchange with the 3rd-party provider to turn the code into an access token • Some providers (Facebook Connect, Foursquare) will return to you an access token without a server- side exchange
Torii Primitive: Adapter • Torii Adapters are only used by the Torii Session • Adapters are the glue/bridge between torii providers and the session • torii provider -> torii adapter -> session properties • Subclasses must only implement `open`
Torii Primitive: Adapter • Example uses for an adapter: • POST auth information from Facebook to your server to generate a new server-side session • Decorate the client-side session with additional properties • Set an ajax prefilter that adds a header with the session token to all future requests
Torii Primitive: Session • Opt-in via torii configuration `sessionServiceName` • Injects ‘session’ property onto routes and controllers • Session is a state machine and a proxy • isAuthenticated • isOpening
Torii Primitive: Session • Torii’s session is lightweight by design • The session is a proxy for the adapter’s `open` output • Call `session.open(providerName, options)`
Torii: Demo Opt in to the session, create a torii adapter
Torii is an ember-addon • `ember new <app>` • `npm install torii --save-dev` • In routes: `this.get(‘torii’)` • (opt-in to sessions and then:) `this.get(‘session’)`
What’s next for Torii? • Torii-Provider ecosystem • More conventions • Session Management — more or less? • Additional primitive/hooks for OAuth code exchange • Better Devise/omniauth compatibility
Cory Forsyth @bantic Torii: http://github.com/vestorly/torii Vestorly: http://vestorly.com 201 Created: http://201-created.com/ Ember Simple Auth: https://github.com/simplabs/ember-simple-auth See also: flickr credits: jpellgen

Recommended

Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Maintest3Mohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 

Recommended

Ember Authentication and Authorization with Torii
Ember Authentication and Authorization with ToriiEmber Authentication and Authorization with Torii
Ember Authentication and Authorization with Torii
Cory Forsyth
 
OAuth using PHP5
OAuth using PHP5OAuth using PHP5
OAuth using PHP5
Nurulazrad Murad
 
Implementing OAuth
Implementing OAuthImplementing OAuth
Implementing OAuth
leahculver
 
MainFinalOAuth
MainFinalOAuthMainFinalOAuth
MainFinalOAuthMohan Kumar Tadikimalla
 
Maintest3
Maintest3Maintest3
Maintest3Mohan Kumar Tadikimalla
 
OAuth
OAuthOAuth
OAuthMohan Kumar Tadikimalla
 
OAuth - Open API Authentication
OAuth - Open API AuthenticationOAuth - Open API Authentication
OAuth - Open API Authentication
leahculver
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)
112Motion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
Min Li
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
Oauth
OauthOauth
Oauth立晨 代
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Tatsuo Kudo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
kulor
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 
Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
Matthew Beale
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
Cory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
Cory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 

More Related Content

What's hot

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
Lorna Mitchell
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
David Ingram
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
Apigee | Google Cloud
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
Yasmine Gaber
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
ChrisWood262
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)
112Motion
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
Aaron Parecki
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
Min Li
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
jeremysbrown
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
WSO2
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Tatsuo Kudo
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
kulor
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security WSO2
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
Thorbjørn Værp
 

What's hot (16)

Implementing OAuth with PHP
Implementing OAuth with PHPImplementing OAuth with PHP
Implementing OAuth with PHP
 
Using OAuth with PHP
Using OAuth with PHPUsing OAuth with PHP
Using OAuth with PHP
 
OAuth for your API - The Big Picture
OAuth for your API - The Big PictureOAuth for your API - The Big Picture
OAuth for your API - The Big Picture
 
Oauth2.0
Oauth2.0Oauth2.0
Oauth2.0
 
OAuth 2
OAuth 2OAuth 2
OAuth 2
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)Harmony API developers documentation (version 2.2)
Harmony API developers documentation (version 2.2)
 
An Introduction to OAuth 2
An Introduction to OAuth 2An Introduction to OAuth 2
An Introduction to OAuth 2
 
OAuth big picture
OAuth big pictureOAuth big picture
OAuth big picture
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Oauth
OauthOauth
Oauth
 
Extended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management PlatformExtended Security with WSO2 API Management Platform
Extended Security with WSO2 API Management Platform
 
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s ApproachClient Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
Client Initiated Backchannel Authentication (CIBA) and Authlete’s Approach
 
PHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQLPHP, OAuth, Web Services and YQL
PHP, OAuth, Web Services and YQL
 
Learn with WSO2 - API Security
Learn with WSO2 - API Security Learn with WSO2 - API Security
Learn with WSO2 - API Security
 
T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point T28 implementing adfs and hybrid share point
T28 implementing adfs and hybrid share point
 

Viewers also liked

Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
Matthew Beale
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyCory Forsyth
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
Cory Forsyth
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Cory Forsyth
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
Cory Forsyth
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
Cory Forsyth
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for Robots
Cory Forsyth
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning Talk
Cory Forsyth
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cli
Cory Forsyth
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
Cory Forsyth
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
Ido Flatow
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
Mark Nottingham
 

Viewers also liked (12)

Client-side Auth with Ember.js
Client-side Auth with Ember.jsClient-side Auth with Ember.js
Client-side Auth with Ember.js
 
Stackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for EverybodyStackup New Languages Talk: Ember is for Everybody
Stackup New Languages Talk: Ember is for Everybody
 
Making ember-wormhole work with Fastboot
Making ember-wormhole work with FastbootMaking ember-wormhole work with Fastboot
Making ember-wormhole work with Fastboot
 
Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014Microsoft tech talk march 28 2014
Microsoft tech talk march 28 2014
 
Chrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JSChrome Extensions at Manhattan JS
Chrome Extensions at Manhattan JS
 
OAuth 2.0 Misconceptions
OAuth 2.0 MisconceptionsOAuth 2.0 Misconceptions
OAuth 2.0 Misconceptions
 
APIs: Internet for Robots
APIs: Internet for RobotsAPIs: Internet for Robots
APIs: Internet for Robots
 
EmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning TalkEmberFest Mobiledoc Demo Lightning Talk
EmberFest Mobiledoc Demo Lightning Talk
 
Ember testing internals with ember cli
Ember testing internals with ember cliEmber testing internals with ember cli
Ember testing internals with ember cli
 
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
HTTP by Hand: Exploring HTTP/1.0, 1.1 and 2.0
 
Introduction to HTTP/2
Introduction to HTTP/2Introduction to HTTP/2
Introduction to HTTP/2
 
What HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For YouWhat HTTP/2.0 Will Do For You
What HTTP/2.0 Will Do For You
 

Similar to Torii: Ember.js Authentication Library

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Tatsuo Kudo
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
leahculver
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
Mikkel Flindt Heisterberg
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
Mikkel Flindt Heisterberg
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
Umang Goyal
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
Eric Maxwell
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessMehdi Medjaoui
 
Api security
Api security Api security
Api security
teodorcotruta
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
Khor SoonHin
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
Pieter Ennes
 
Ember and OAuth2
Ember and OAuth2Ember and OAuth2
Ember and OAuth2
Stephen Vance
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
SQALab
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
iXora Solution Ltd.
 
OAuth
OAuthOAuth
OAuth
Tom Elrod
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Mohan Kumar Tadikimalla
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
Sergio Marin
 
Oauth
OauthOauth
Oauth
ehuard
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
Fastly
 

Similar to Torii: Ember.js Authentication Library (20)

Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
OAuth and OEmbed
OAuth and OEmbedOAuth and OEmbed
OAuth and OEmbed
 
Introduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learnedIntroduction to OAuth 2.0 - the technology you need but never really learned
Introduction to OAuth 2.0 - the technology you need but never really learned
 
Introduction to OAuth
Introduction to OAuthIntroduction to OAuth
Introduction to OAuth
 
Linkedin & OAuth
Linkedin & OAuthLinkedin & OAuth
Linkedin & OAuth
 
Data Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application DesignData Synchronization Patterns in Mobile Application Design
Data Synchronization Patterns in Mobile Application Design
 
OAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guessOAuth In The Real World : 10 actual implementations you can't guess
OAuth In The Real World : 10 actual implementations you can't guess
 
Api security
Api security Api security
Api security
 
The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2The Many Flavors of OAuth - Understand Everything About OAuth2
The Many Flavors of OAuth - Understand Everything About OAuth2
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Ember and OAuth2
Ember and OAuth2Ember and OAuth2
Ember and OAuth2
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Создание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружениеСоздание API, которое полюбят разработчики. Глубокое погружение
Создание API, которое полюбят разработчики. Глубокое погружение
 
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
Office 365 Authentication Process (oAuth Service Integration) - iXora Tech Se...
 
OAuth
OAuthOAuth
OAuth
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02Maintest 100713212237-phpapp02-100714080303-phpapp02
Maintest 100713212237-phpapp02-100714080303-phpapp02
 
OAuth con doorkeeper
OAuth con doorkeeperOAuth con doorkeeper
OAuth con doorkeeper
 
Oauth
OauthOauth
Oauth
 
Altitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the EdgeAltitude San Francisco 2018: Authentication at the Edge
Altitude San Francisco 2018: Authentication at the Edge
 

Recently uploaded

guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 

Recently uploaded (20)

guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 

Torii: Ember.js Authentication Library

  • 3.
  • 4. 201 Created We build õ-age apps with Ember.js. We take teams from £ to • in no time flat.
  • 6. http://vestorly.com http://github.com/vestorly/torii Vestorly is pioneering a content discovery app for professionals to use for lead generation / to grow their biz organically
  • 8. Torii a traditional Japanese gate … [that] symbolically marks the transition from the profane to the sacred
  • 9. How can we authenticate? • Username + password • Devise (user/pass, oauth via omniauth, etc) • OAuth via facebook/twitter/github/linked-in • Hybrid flow (single-page app plus server actions) http://github.com/vestorly/torii
  • 10. Hybrid flow • HTTP Server serves Ember App (e.g. ember-rails) Server serves HTML with Ember App <html> … <script>App.create()</> … <form action=‘/signin’> … user/pass Server signs user in, serves HTML w/ Ember App _and_ currentUser <html> … <script> App.create(); App.currentUser=! “<% JSON .stringify(@user) %>”;! </script> http://github.com/vestorly/torii
  • 11. Auth with session token • Separate SPA and API ! Ember app posts user/pass to api: /sessions {token: token} API validates user/ pass, generates and returns session token Ember app stores session token and adds session token as a header to all future API calls user/pass GET /protected_resource header: token API validates token to look up session, returns protected resource
  • 12. Devise • It manages authentication state for you at the Rack level • What does Devise allow us to not think about? • State — The What, not the How (“current_user?”)
  • 13. Ember is a State Machine Torii helps manage state as a user moves through authentication transitions Torii is an abstraction of the concept of auth. Your auth code does not need to focus on the How, only the What.
  • 14. What does Torii not do? • Torii is not a client-side Devise. • Not a replacement for Ember Simple Auth • Does not automatically give you 3rd party login • Does not generate UI • Does not make assumptions about server endpoints
  • 15. What does Torii do? • Provides a set of primitives for authenticating • Provides lightweight session management (opt-in) • Provides a reusable pattern for client-side OAuth flows (easily add additional OAuth providers) • Unifies different auth options (user/pass, OAuth, etc)
  • 16. Torii Motivation • Provide promise-based abstraction of messy popup/redirect-based OAuth flows • Handle social login, traditional login (user/pass), and connection of social accounts using the same concepts • Allow for more maintainable auth-related code
  • 17. Torii’s Primitives • Providers: Any 1st or 3rd party that can authenticate • Popup: Simplify the boilerplate of opening a popup and reading its redirected data • Adapters: Bridge between providers and session • Session: Opt-in, state machine
  • 18. Torii Primitive: Provider • Responsible for obtaining proof of authentication/ authorization from a 1st or 3rd party (async) • Can be as simple as POSTing user/pass to /api/ session and getting a session token • Can also handle popup-based OAuth redirect flow • Torii Providers must only implement `open`
  • 19. OAuth overview • Register an app with a redirect url with the OAuth provider. Provider gives a unique app id and app secret. • Visit provider’s page, include your app id (“http:// provider.com/oauth?app_id=X”) • User signs in at provider’s page, provider redirects user to registered redirect url, includes query params with auth data (“…?auth_code=ABC”) • Your server reads the query params and uses the app secret along with the auth code to exchange for an access token aka “password” for the user.
  • 22. Torii: OAuth Providers redirects to …/?auth_code=ABC132…
  • 23. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
  • 24. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup
  • 25. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('torii').open('facebook-oauth2')! .then(function(authData)){! !// got the auth code! });!
  • 26. Torii: OAuth Providers redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup • facebook-oauth2 • linked-in-oauth2 • google-oauth2 • oauth2-code base
  • 27. Torii Primitive: Popup redirects to …/?auth_code=ABC132… Torii reads ‘auth_code’, and closes popup this.get('popup').open(url, keys)! !// opens popup at `url`! !// e.g. 'http://facebook.com/oauth'! ! !// waits until popup reloads! !// this app, and scans its url! !// for `keys`! !// e.g. ‘http://localhost:4200/?auth_code=X'! // closes popup, resolves promise with: ! .then(function(data)){! console.log(data.auth_code); // ‘X’! });!
  • 28. Torii Primitive: Popup • adds application initializer • detects it is in a popup • calls `deferReadiness` • reads keys from URL • `postMessage`’s to window.open
  • 29. Torii: Demo Create a simple torii-provider for use against a demonstration OAuth provider. Demonstrate the torii popup reading keys off the URL.
  • 30. Torii + OAuth: What else? • Torii does not prescribe what to do once you’ve received the code. • Typically, you must complete a secret (aka server- side) exchange with the 3rd-party provider to turn the code into an access token • Some providers (Facebook Connect, Foursquare) will return to you an access token without a server- side exchange
  • 31. Torii Primitive: Adapter • Torii Adapters are only used by the Torii Session • Adapters are the glue/bridge between torii providers and the session • torii provider -> torii adapter -> session properties • Subclasses must only implement `open`
  • 32. Torii Primitive: Adapter • Example uses for an adapter: • POST auth information from Facebook to your server to generate a new server-side session • Decorate the client-side session with additional properties • Set an ajax prefilter that adds a header with the session token to all future requests
  • 33. Torii Primitive: Session • Opt-in via torii configuration `sessionServiceName` • Injects ‘session’ property onto routes and controllers • Session is a state machine and a proxy • isAuthenticated • isOpening
  • 34. Torii Primitive: Session • Torii’s session is lightweight by design • The session is a proxy for the adapter’s `open` output • Call `session.open(providerName, options)`
  • 35. Torii: Demo Opt in to the session, create a torii adapter
  • 36. Torii is an ember-addon • `ember new <app>` • `npm install torii --save-dev` • In routes: `this.get(‘torii’)` • (opt-in to sessions and then:) `this.get(‘session’)`
  • 37. What’s next for Torii? • Torii-Provider ecosystem • More conventions • Session Management — more or less? • Additional primitive/hooks for OAuth code exchange • Better Devise/omniauth compatibility
  • 38. Cory Forsyth @bantic Torii: http://github.com/vestorly/torii Vestorly: http://vestorly.com 201 Created: http://201-created.com/ Ember Simple Auth: https://github.com/simplabs/ember-simple-auth See also: flickr credits: jpellgen