Secure API Services in Node.js

Welcome! • Agenda

• Stormpath 101 (5 mins)• How to secure an API (25 mins)• Q&A (30 mins)

• Claire HunsakerVP of Marketing & Customer Success

• Randall DeggesNode.js Evangelist

Customer Identity Poses Major Challenges

Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by

default• Clean & elegant API/SDKs• Little to code, no maintenance Focus on Your Core Competency

Stormpath User Management

User Data

User Workflows Google ID

Your Applications

Application SDK

Application SDK

Application SDK

ID Integrations

Facebook

Active Directory

SAML

Features• Secure, flexible Authentication

(Password, Token, OAuth, API)

• Deep AuthorizationGroups, RolesCustomer OrganizationsPermissions

• Customer Profile Data

• Single Sign-On Across Your Apps

• Hosted User Screens

What’s the Goal of This Talk?

D’oh!

API Server(s)API Client

API Client

API Client

API Client

Internet

API Server(s)API Server(s)

Browser / Mobile Web API Client

Client-to-API

Server-to-API

Basic Auth

OAuth2

What’s the Goal of This Talk?

About API Keys…

randall@stormpath.com

iLOVEc00kies!

API Server(s)Website

163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8

API Secret

Long, random strings (uuids).

Let Users Have Multiple API Keys

Key 1 Key 2

ID: 3c511ea2ef424dd88bc1575e7e5a2bd7Secret: 1ae8120c1ec940638913f4e258b8f7fe

ID: cc463f7aabfd4132a2211006886d05f1Secret: 85172ea5aef144038f019b3111b5e11a

Creating API Keys with Stormpathreq.user.createApiKey(function(err, apiKey) { if (err) throw err;

 console.log('New API key created!'); console.log('API Key ID:', apiKey.id); console.log('API Key Secret:', apiKey.secret);});

LET’S SET UP STORMPATH!

LET’S WRITE SOME CODE!

How Does Basic Auth Work?

API Server(s)

Authorization: Basic <base64(id:secret)>

$ curl --user id:secret http://localhost:3000/api/test

How Does OAuth2 Work? (Step 1)

API Server(s)

Authorization: Basic <base64(id:secret)>

Access Token

$ curl --user id:secret \ -X POST \ --data grant_type=client_credentials \ http://localhost:3000/oauth/token

How Does OAuth2 Work? (Step 2)

API Server(s)

Authorization: Bearer <token>

$ curl -H “Authorization: Bearer <token>” \ http://localhost:3000/api/test

Node & Express Resources

• Talking to OAuth2 Services with Node.jshttps://stormpath.com/blog/talking-to-oauth2-services-with-nodejs

• What the Heck is OAuth? https://stormpath.com/blog/what-the-heck-is-oauth /

• Stormpath Express Libraryhttp://docs.stormpath.com/nodejs/express/latest/

• All Our JavaScript Integrationshttp://docs.stormpath.com/nodejs/

QUESTIONS?

THANK YOU