Post on 15-Apr-2017
Secure API Services in Node.js
Welcome! • Agenda
• Stormpath 101 (5 mins)• How to secure an API (25 mins)• Q&A (30 mins)
• Claire HunsakerVP of Marketing & Customer Success
• Randall DeggesNode.js Evangelist
Customer Identity Poses Major Challenges
Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by
default• Clean & elegant API/SDKs• Little to code, no maintenance Focus on Your Core Competency
Stormpath User Management
User Data
User Workflows Google ID
Your Applications
Application SDK
Application SDK
Application SDK
ID Integrations
Active Directory
SAML
Features• Secure, flexible Authentication
(Password, Token, OAuth, API)
• Deep AuthorizationGroups, RolesCustomer OrganizationsPermissions
• Customer Profile Data
• Single Sign-On Across Your Apps
• Hosted User Screens
What’s the Goal of This Talk?
D’oh!
API Server(s)API Client
API Client
API Client
API Client
Internet
API Server(s)API Server(s)
Browser / Mobile Web API Client
Client-to-API
Server-to-API
Basic Auth
OAuth2
What’s the Goal of This Talk?
About API Keys…
randall@stormpath.com
iLOVEc00kies!
API Server(s)Website
163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8
API Secret
Long, random strings (uuids).
Let Users Have Multiple API Keys
Key 1 Key 2
ID: 3c511ea2ef424dd88bc1575e7e5a2bd7Secret: 1ae8120c1ec940638913f4e258b8f7fe
ID: cc463f7aabfd4132a2211006886d05f1Secret: 85172ea5aef144038f019b3111b5e11a
Creating API Keys with Stormpathreq.user.createApiKey(function(err, apiKey) { if (err) throw err;
console.log('New API key created!'); console.log('API Key ID:', apiKey.id); console.log('API Key Secret:', apiKey.secret);});
LET’S SET UP STORMPATH!
LET’S WRITE SOME CODE!
How Does Basic Auth Work?
API Server(s)
Authorization: Basic <base64(id:secret)>
$ curl --user id:secret http://localhost:3000/api/test
How Does OAuth2 Work? (Step 1)
API Server(s)
Authorization: Basic <base64(id:secret)>
Access Token
$ curl --user id:secret \ -X POST \ --data grant_type=client_credentials \ http://localhost:3000/oauth/token
How Does OAuth2 Work? (Step 2)
API Server(s)
Authorization: Bearer <token>
$ curl -H “Authorization: Bearer <token>” \ http://localhost:3000/api/test
Node & Express Resources
• Talking to OAuth2 Services with Node.jshttps://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
• What the Heck is OAuth? https://stormpath.com/blog/what-the-heck-is-oauth /
• Stormpath Express Libraryhttp://docs.stormpath.com/nodejs/express/latest/
• All Our JavaScript Integrationshttp://docs.stormpath.com/nodejs/
QUESTIONS?
THANK YOU