Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about...
Transcript of Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about...
![Page 1: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/1.jpg)
Building an OAuth Flow in a Node.js CLI
May 14th, 2019
![Page 2: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/2.jpg)
Hi!I’m Taylor Krusen.I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @TaylorKrusen
Dropbox
![Page 3: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/3.jpg)
Overview of talk
Discuss OAuth as a concept.
Cover 3-legged OAuth Flow.
Tinker with OAuth Flow implementations.
![Page 4: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/4.jpg)
I’m from the USA. I live in a state named Washington.
![Page 5: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/5.jpg)
… Seattle, Washington to be precise.
We’re known for coffee, music, and a lack of sunshine.
We have lots of tech companies.
![Page 6: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/6.jpg)
Life is good.
![Page 7: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/7.jpg)
THE API ECONOMY
![Page 8: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/8.jpg)
The Need
Bank Info
Social Info
Chat client
File storage
Your Amazing App
![Page 9: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/9.jpg)
![Page 10: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/10.jpg)
Recognize these?
![Page 11: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/11.jpg)
OAuth 2.0Industry-standard protocol for authorization.➔ Provides delegated access to data between
apps➔ Decouples authentication and authorization➔ Supports many different use cases
◆ Web applications◆ Mobile applications◆ Consoles & IoT devices◆ Server-to-server applications
Authentication vs authorization
![Page 12: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/12.jpg)
OAuth 2.0
➔ Scopes and consent➔ Actors➔ Clients➔ Tokens➔ Authorization server➔ Flows
![Page 13: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/13.jpg)
Scopes and Consent
Scopes● Bundles of permissions asked
for by client when requesting access token
● Decouples authorization policy from enforcement
Capture users consent
![Page 14: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/14.jpg)
Application(Client)
Resource Owner
Authorization Server
Resource Server
Actors
Delegates access
Obtains Token
Uses token
![Page 15: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/15.jpg)
Access Token Refresh Token(optional)
● Long-lived token for getting new access tokens from Authorization Server
● Token used by Client to access Resource Server (API)
Tokens
![Page 16: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/16.jpg)
Authorization Server
Authorization Server
Authorization Grant
Refresh Token
Access Token
Authorization Endpoint(~/authorize)
Authorization Grant(~/token)
![Page 17: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/17.jpg)
Implicit (2 Legged)
17
Auth Code (3 Legged)
Client Credential (2 Legged)
Device (Non-Standard)
Assertion (2 Legged)Resource Owner Password
Best for browser-only Public Clients
Legacy grant for native UN / PW apps
Authorization Server can trust 3rd-party such as SAML
Used for devices with no access to browsers
Used for Confidential Clients (server-only)
Most secure. Commonly used for public APIs.
Flows
![Page 18: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/18.jpg)
3 Legged OAuth Flow (Auth Code)
● Uses front channel flow to get an authorization code● Uses back channel flow to exchange authorization code
for access token (optional refresh token)● Most secure flow● Assumes Resource Owner and Client are on separate
devices
![Page 19: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/19.jpg)
Application(Client)
Resource Owner
Authorization Server
Resource Server
3 Legged OAuth Flow(Authorization Code)
1. Authorization Request
3. Authorization Grant
5. Access Token
2. Authorization Grant
5. Access Token
6. Protected Resource
![Page 20: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/20.jpg)
Leg 1:Requesting Authorization
Requesthttps://www.dropbox.com/oauth2/authorize?response_type=code&client_id=9xhtame8mbpu3gz&redirect_uri=http://localhost:3000/auth&state=somestring
http://localhost:3000/auth?code=adfmWK8oHPAAAAAAAAAA6uvVPpX2xbiky2Q_VpxJKun&state=somestring
Response
GET
![Page 21: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/21.jpg)
Leg 2:Requesting an Access Token
https://api.dropboxapi.com/oauth2/token?code=adfmWK8oHPAAAAAAAAAA7amOPmBYOPYiW3zooj_egxQ&grant_type=authorization_code&redirect_uri=http://localhost:3000/auth&client_id=9xhtame8mbpu3gz&client_secret=dei95eqke4bxnf7
{ access_token: 'adfmWK8oHPAAAAAAAAAA7mxfnXlh_V47gTJ84g4mnDjgnaBD0fdlyNZK6AUhcFcr', token_type: 'bearer', uid: '2128328608', account_id: 'dbid:AABIN7OVjwJNfLISv0DTKdzI1k_DwARnENY'}
Response
RequestGET
![Page 22: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/22.jpg)
Leg 3:Requesting a Protected Resource
![Page 23: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/23.jpg)
We did it!“…but how do we do that from a CLI?”
![Page 24: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/24.jpg)
GUIGraphical User Interface
CLICommand-line Interface
![Page 25: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/25.jpg)
Node CLI Frameworks
25
● Oclif ● Vorpal ● Commander
○ Smartsheet CLIhttps://github.com/smartsheet-samples/smartsheet-cli
● Readline
![Page 26: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/26.jpg)
Using Node Readline
![Page 27: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/27.jpg)
Token STORAGE
● Saves to Users/taylork/.dbx-cli/token.json● Probably not safe for production
![Page 28: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/28.jpg)
Use Stored Token
These errors are a great way to test different retry logic.
![Page 29: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/29.jpg)
GetNew
Token
![Page 30: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/30.jpg)
DEMO
![Page 31: Building an OAuth Flow in a Node.js CLI€¦ · Hi! I’m Taylor Krusen. I’m here to talk about building an OAuth Flow in a Node CLI. I’m on Twitter: @Tay lorKrusen Dropbox](https://reader034.fdocuments.us/reader034/viewer/2022050423/5f9233f114202e639f72ddfc/html5/thumbnails/31.jpg)
THANKS!Any questions?I’m on Twitter:@TaylorKrusen