Backend APIs and Auth

InnoDevDay #2

in JS World

Modern API design

JWT

JSON Web Token

HMAC

Hash-based Message Authentication Code

Usage

  • verify
    • integrity
    • authenticity
    • identity

Encoded

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8FmJDkDE_VCQFXqKxpLsts

Decoded

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "sub": 1234567890,
  "name": "John Doe",
  "admin": true
}

HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
)  secret base64 encoded

Operations

  • Sign
  • Verify
  • Checks
    • Issuer
    • Expire
    • Audience

Spec prepared by Microsoft, NRI, Ping Identity

Platform libs

  • .NET
  • Python
  • Node.js
  • Java
  • Ruby
  • PHP
  • JavaScript
  • Go
  • Haskel
  • ...

OAuth 2.0 is not an authentication protocol.

Source: http://oauth.net/articles/authentication/

OpenAuth2

Open authorization framework that enables a third-party apps to obtain limited access to an HTTP service.

OpenID Connect

Simple identity layer on the top on OAuth 2.0 protocol.

 

Allow client of all types to request and receive info about authenticated session and end-users.

Future

OpenID Connect

probably

Draft spec prepared by Microsoft, Google, Salesforce, ...

Backend API - servers

  • Express.js
  • Koa.js
  • Hapi.js

simple and widely known

tailored towards bigger and more complex apps - WalmartLabs

1st approach

oautho2orize.js  = Express.js + passport.js + oauth2

2nd approach

Express.js + MongoDB + Redis + JWT

 

Not on Win64 :(

Strange release cycle

DEMO

Alternatives

Identity Broker + User Management As Service 

Q&A

Feedback

Made with Slides.com