Skip to content

Instantly share code, notes, and snippets.

@msell

msell/Token Security.md

Last active August 29, 2015 14:15
Show Gist options
  • Save msell/8fd835104af18cfc9769 to your computer and use it in GitHub Desktop.
Save msell/8fd835104af18cfc9769 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Token Security.md

things to talk about: Cookies vs JWT

http://www.oauthforaspnet.com/

OAuth http://oauth.net http://oauth.net/2/

JWT Simple - node library to encode/decode tokens.

Json web token: Has 3 parts. Header, Claims, Signiture

Securtiy Token Service (STS)

Login process with OAuth 1.0

  1. Client: Open a popup window via $auth.authenticate('provider name').
  2. Client: Unlike OAuth 2.0, you cannot go directly to the authentication screen without a valid request token.
  3. Client: The OAuth 1.0 flow starts with the GET request to /auth/provider inside the popup.
  4. Server: Check if URL contains oauth_token and oauth_verifier parameters.
  5. Sever: Initially it does not, so send an OAuth signed POST request to the /request_token URL.
  6. Server: Redirect to the /authenticate URL with a valid request token.
  7. Client: Sign in with your username and password if necessary, then authorize the application.
  8. Client: Send a GET request back to the /auth/provider with oauth_token and oauth_verifier query string parameters.
  9. Server: Similar to Step 4, but this time send an OAuth signed POST request to the /access_token URL since we now have oauth_token and oauth_verifier parameters.
  10. Server: Look up the user by their unique Provider ID. If user already exists, grab the existing user, otherwise create a new user account.
  11. Server: Create a JSON Web Token and send it back to the client.
  12. Client: Parse the token and save it to Local Storage for subsequent use after page reload.

Some services that support Oauth 1.0 include:

  • Twitter

OAuth 2 - The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service.

Login process with OAuth 2.0

  1. Client: Open a popup window via $auth.authenticate('provider name').
  2. Client: Sign in with that provider, if necessary, then authorize the application.
  3. Client: After successful authorization, the popup is redirected back to your app, e.g. http://localhost:3000, with the code (authorization code) query string parameter.
  4. Client: The code parameter is sent back to the parent window that opened the popup.
  5. Client: Parent window closes the popup and sends a POST request to /auth/provider withcode parameter.
  6. Server: Authorization code is exchanged for access token.
  7. Server: User information is retrived using the access token from Step 6.
  8. Server: Look up the user by their unique Provider ID. If user already exists, grab the existing user, otherwise create a new user account.
  9. Server: In both cases of Step 8, create a JSON Web Token and send it back to the client.
  10. Client: Parse the token and save it to Local Storage for subsequent use after page reload.

Some services that support OAuth 2 include:

  • Dropbox
  • Facebook Graph API
  • GitHub
  • Google
  • Windows Live

Local strategy flow

Signup

  1. Client: Enter your email and password into the signup form.
  2. Client: On form submit call $auth.signup(), passing an object with email and password.
  3. Client: Send a POST request to the /auth/signup.
  4. Server: Create a new user account then reply with 200 OK.
  5. Client: Redirect to the signupRedirect route. Default: /login.

Logout

  1. Client: Delete satellizer_token from Local Storage.
  2. Client: Redirect to the logoutRedirect route. Default: /.

Third Party Providers

  • oauth.io (Free up to 500 API calls/month)
  • auth0.com (AD integration)

Server side examples

Satellizer is simple to use, end-to-end, token-based authentication module for AngularJS. It has built in support for many popular public services such as Google, Facebook, LinkedIn, Twitter, Yahoo, Windows Live authentication, as well as email/password sign in. You can add any OAuth 1.0 or 2.0 provider. Jwt.io

Grant - OAuth middleware for Express, Koa

Authentication vs Authorization MustBe

Thinktecture Identity Server

http://www.ndcvideos.com/#/app/video/2651

"SAML is the Windows XP of Identity" it has no future. Heavy handed. OAuth2 is not an authentication protocol?!?

What we have now is a 'flavor of OAuth from Twitter, from Facebook, from Google, you name it'

OAuth was really just designed for creating access tokens and passing them along and has morphed into and authentication protocol

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol "simple to use as a consumer, but not so simple to implement" - db

oauth never specified a token type. OpenID does. OpenID Connect design goals include standard token types, standard encryption, how to validate tokens, combines authentication and access control in a single protocol. Single round trip to server.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment