Secure API Services in Node with Basic Auth and OAuth2

Dec 10, 2015Download as pptx, pdf

4 likes1,958 views

The document outlines a presentation focused on securing API services in Node.js, detailing features of Stormpath such as user management, flexible authentication, and single sign-on integration. It includes discussions on API key creation, basic authentication, and OAuth2 implementation steps. Resources for further learning on OAuth2 services and Stormpath libraries are also provided.

Technology

Welcome!
• Agenda
• Stormpath 101 (5 mins)
• How to secure an API (25 mins)
• Q&A (30 mins)
• Claire Hunsaker
VP of Marketing & Customer Success
• Randall Degges
Node.js Evangelist

Customer Identity Poses Major Challenges

Speed to Market & Cost Reduction
• Complete Identity solution out-of-the-box
• Security best practices and updates by default
• Clean & elegant API/SDKs
• Little to code, no maintenance
Focus on Your Core Competency

Stormpath User Management
User Data
User
Workflows Google ID
Your Applications
Application SDK
Application SDK
Application SDK
ID Integrations
Facebook
Active
Directory
SAML

D’oh!
API Server(s)API Client
API Client
API Client
API Client
Internet

API Server(s)API Server(s)
Browser / Mobile
Web
API Client
Client-to-API Server-to-API

Basic Auth OAuth2
What’s the Goal of This Talk?

randall@stormpath.com
iLOVEc00kies!
API Server(s)Website

163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8
API Secret
Long, random strings (uuids).

Let Users Have Multiple API Keys
Key 1 Key 2
ID: 3c511ea2ef424dd88bc1575e7e5a2bd7
Secret: 1ae8120c1ec940638913f4e258b8f7fe
ID: cc463f7aabfd4132a2211006886d05f1
Secret: 85172ea5aef144038f019b3111b5e11a

Creating API Keys with Stormpath
req.user.createApiKey(function(err, apiKey) {
if (err) throw err;
console.log('New API key created!');
console.log('API Key ID:', apiKey.id);
console.log('API Key Secret:',
apiKey.secret);
});

How Does Basic Auth Work?
API Server(s)
Authorization: Basic <base64(id:secret)>
$ curl --user id:secret http://localhost:3000/api/test

How Does OAuth2 Work? (Step 1)
API Server(s)
Authorization: Basic <base64(id:secret)>
Access Token
$ curl --user id:secret
-X POST
--data grant_type=client_credentials
http://localhost:3000/oauth/token

How Does OAuth2 Work? (Step 2)
API Server(s)
Authorization: Bearer <token>
$ curl -H “Authorization: Bearer <token>”
http://localhost:3000/api/test

Node & Express Resources
• Talking to OAuth2 Services with Node.js
https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
• What the Heck is OAuth?
https://stormpath.com/blog/what-the-heck-is-oauth/
• Stormpath Express Library
http://docs.stormpath.com/nodejs/express/latest/
• All Our JavaScript Integrations
http://docs.stormpath.com/nodejs/

More Related Content

What's hot (20)

PPTX

Token Authentication for Java ApplicationsStormpath

PPTX

Browser Security 101 Stormpath

PDF

Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins

PPTX

Single-Page-Application & REST securityIgor Bossenko

PPTX

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

PDF

Super simple application security with Apache ShiroMarakana Inc.

PPTX

Secure Your REST API (The Right Way)Stormpath

PDF

ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva

PPTX

Api security teodorcotruta

PPTX

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

PDF

JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva

PPTX

Rest API SecurityStormpath

PPTX

Best Practices in Building an API Security EcosystemPrabath Siriwardena

PDF

JWTs in Java for CSRF and MicroservicesStormpath

PPTX

Spring SecurityManish Sharma

PPTX

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

PPTX

Intro to Apache ShiroClaire Hunsaker

PPTX

D@W REST securityGaurav Sharma

PPTX

Instant Security & Scalable User Management with Spring BootStormpath

PPTX

Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc

Token Authentication for Java ApplicationsStormpath

Browser Security 101 Stormpath

Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins

Single-Page-Application & REST securityIgor Bossenko

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

Super simple application security with Apache ShiroMarakana Inc.

Secure Your REST API (The Right Way)Stormpath

ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva

Api security teodorcotruta

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva

Rest API SecurityStormpath

Best Practices in Building an API Security EcosystemPrabath Siriwardena

JWTs in Java for CSRF and MicroservicesStormpath

Spring SecurityManish Sharma

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

Intro to Apache ShiroClaire Hunsaker

D@W REST securityGaurav Sharma

Instant Security & Scalable User Management with Spring BootStormpath

Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc

Viewers also liked (15)

PDF

Building Beautiful REST APIs in ASP.NET CoreStormpath

PPTX

Storing User Files with Express, Stormpath, and Amazon S3Stormpath

PPTX

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

PPTX

Custom Data Search with StormpathStormpath

PPTX

Stormpath 101: Spring Boot + Spring SecurityStormpath

PPTX

Spring Boot Authentication...and More! Stormpath

PPTX

Beautiful REST+JSON APIs with IonStormpath

PPTX

Build a Node.js Client for Your REST+JSON APIStormpath

PPTX

So long scrum, hello kanbanStormpath

PPTX

Elegant Rest Design WebinarStormpath

PPTX

Build A Killer Client For Your REST+JSON APIStormpath

PPTX

REST API Design for JAX-RS And JerseyStormpath

PDF

Getting Started With AngularStormpath

PDF

Build a REST API for your Mobile Apps using Node.jsStormpath

PDF

Building Beautiful REST APIs with ASP.NET CoreStormpath

Building Beautiful REST APIs in ASP.NET CoreStormpath

Storing User Files with Express, Stormpath, and Amazon S3Stormpath

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

Custom Data Search with StormpathStormpath

Stormpath 101: Spring Boot + Spring SecurityStormpath

Spring Boot Authentication...and More! Stormpath

Beautiful REST+JSON APIs with IonStormpath

Build a Node.js Client for Your REST+JSON APIStormpath

So long scrum, hello kanbanStormpath

Elegant Rest Design WebinarStormpath

Build A Killer Client For Your REST+JSON APIStormpath

REST API Design for JAX-RS And JerseyStormpath

Getting Started With AngularStormpath

Build a REST API for your Mobile Apps using Node.jsStormpath

Building Beautiful REST APIs with ASP.NET CoreStormpath

Similar to Secure API Services in Node with Basic Auth and OAuth2 (20)

PPTX

No-Code SAML Support for SaaS Applications with StormpathLindsay Brunner

PDF

WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2

PDF

Vertex AI Agent Builder - GDG Alicante - Julio 2024Nicolás Lopéz

PDF

SPUnite17 Creating Scalable Cloud SolutionsNCCOMMS

PPTX

CA CloudMinder Vasu SurabhiVasu Surabhi

PDF

Quality assurance-for-a-blockchain-based-solutionCygnet Infotech

PDF

Quality assurance-for-a-blockchain-based-solutionMaitrikpaida

PDF

04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019Kumton Suttiraksiri

DOC

Prakhar Sood-Resume-CVPrakhar Sood

PDF

Company and Market OverviewOkta-Inc

PDF

Develop enterprise-ready applications for Microsoft TeamsMarkus Moeller

PPT

Fédération d’identité : des concepts Théoriques aux études de cas d’implément...e-Xpert Solutions SA

PPSX

Skill_Level_ StriderTushar R

PPTX

How to plan your Modern Workplace Project - SPS Denver October 2018Ammar Hasayen

PPTX

Identity Summit 2015: EnerNOC Case Study: The Transformation of IAM for EnerN...ForgeRock

PDF

Client & Virtual User Experience Monitoring mit SplunkGeorg Knon

PDF

Client & Virtual User Experience Monitoring mit SplunkGeorg Knon

PPTX

Synergies across APIs and IAMSagara Gunathunga

PPTX

Secure and Optimize APIs using Azure API ManagementBizTalk360

PPT

Iam suite introductionwardell henley

No-Code SAML Support for SaaS Applications with StormpathLindsay Brunner

WSO2Con EU 2015: Securing, Monitoring and Monetizing APIsWSO2

Vertex AI Agent Builder - GDG Alicante - Julio 2024Nicolás Lopéz

SPUnite17 Creating Scalable Cloud SolutionsNCCOMMS

CA CloudMinder Vasu SurabhiVasu Surabhi

Quality assurance-for-a-blockchain-based-solutionCygnet Infotech

Quality assurance-for-a-blockchain-based-solutionMaitrikpaida

04_Extending and Securing Enterprise Applications in Microsoft Azure_GAB2019Kumton Suttiraksiri

Prakhar Sood-Resume-CVPrakhar Sood

Company and Market OverviewOkta-Inc

Develop enterprise-ready applications for Microsoft TeamsMarkus Moeller

Fédération d’identité : des concepts Théoriques aux études de cas d’implément...e-Xpert Solutions SA

Skill_Level_ StriderTushar R

How to plan your Modern Workplace Project - SPS Denver October 2018Ammar Hasayen

Identity Summit 2015: EnerNOC Case Study: The Transformation of IAM for EnerN...ForgeRock

Client & Virtual User Experience Monitoring mit SplunkGeorg Knon

Synergies across APIs and IAMSagara Gunathunga

Secure and Optimize APIs using Azure API ManagementBizTalk360

Iam suite introductionwardell henley

Recently uploaded (20)

PPTX

reInforce 2025 Lightning Talk - Scott Francis.pptxScottFrancis51

PDF

Optimizing the trajectory of a wheel loader working in short loading cyclesReno Filla

PPTX

UserCon Belgium: Honey, VMware increased my billstijn40

PDF

Automating the Geo-Referencing of Historic Aerial Photography in FlandersSafe Software

PDF

EIS-Webinar-Engineering-Retail-Infrastructure-06-16-2025.pdfEarley Information Science

PPTX

MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...Michele Kryston

PDF

Hyderabad MuleSoft In-Person Meetup (June 21, 2025) SlidesRavi Tamada

PDF

My Journey from CAD to BIM: A True Underdog StorySafe Software

PDF

Plugging AI into everything: Model Context Protocol Simplified.pdfAbati Adewale

PDF

Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical UniversesSaikat Basu

PDF

Open Source Milvus Vector Database v 2.6Zilliz

PDF

2025_06_18 - OpenMetadata Community Meeting.pdfOpenMetadata

PDF

FME as an Orchestration Tool with Principles From Data GravitySafe Software

PDF

The Future of Product Management in AI ERA.pdfAlyona Owens

PDF

LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdfNick Samuel

PPTX

𝙳𝚘𝚠𝚗𝚕𝚘𝚊𝚍—Wondershare Filmora Crack 14.0.7 + Key Download 2025sebastian aliya

PPTX

MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Poster...Michele Kryston

PDF

Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...ScyllaDB

PPTX

CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025pcprocore

PDF

5 Things to Consider When Deploying AI in Your EnterpriseSafe Software

reInforce 2025 Lightning Talk - Scott Francis.pptxScottFrancis51

Optimizing the trajectory of a wheel loader working in short loading cyclesReno Filla

UserCon Belgium: Honey, VMware increased my billstijn40

Automating the Geo-Referencing of Historic Aerial Photography in FlandersSafe Software

EIS-Webinar-Engineering-Retail-Infrastructure-06-16-2025.pdfEarley Information Science

MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...Michele Kryston

Hyderabad MuleSoft In-Person Meetup (June 21, 2025) SlidesRavi Tamada

My Journey from CAD to BIM: A True Underdog StorySafe Software

Plugging AI into everything: Model Context Protocol Simplified.pdfAbati Adewale

Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical UniversesSaikat Basu

Open Source Milvus Vector Database v 2.6Zilliz

2025_06_18 - OpenMetadata Community Meeting.pdfOpenMetadata

FME as an Orchestration Tool with Principles From Data GravitySafe Software

The Future of Product Management in AI ERA.pdfAlyona Owens

LLM Search Readiness Audit - Dentsu x SEO Square - June 2025.pdfNick Samuel

𝙳𝚘𝚠𝚗𝚕𝚘𝚊𝚍—Wondershare Filmora Crack 14.0.7 + Key Download 2025sebastian aliya

MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Poster...Michele Kryston

Database Benchmarking for Performance Masterclass: Session 1 - Benchmarking F...ScyllaDB

CapCut Pro Crack For PC Latest Version {Fully Unlocked} 2025pcprocore

5 Things to Consider When Deploying AI in Your EnterpriseSafe Software

Secure API Services in Node with Basic Auth and OAuth2

1. Secure API Services in Node.js

2. Welcome! • Agenda • Stormpath 101 (5 mins) • How to secure an API (25 mins) • Q&A (30 mins) • Claire Hunsaker VP of Marketing & Customer Success • Randall Degges Node.js Evangelist

3. Customer Identity Poses Major Challenges

4. Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance Focus on Your Core Competency

5. Stormpath User Management User Data User Workflows Google ID Your Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML

6. Features • Secure, flexible Authentication (Password, Token, OAuth, API) • Deep Authorization Groups, Roles Customer Organizations Permissions • Customer Profile Data • Single Sign-On Across Your Apps • Hosted User Screens

7. What’s the Goal of This Talk?

8. D’oh! API Server(s)API Client API Client API Client API Client Internet

9. API Server(s)API Server(s) Browser / Mobile Web API Client Client-to-API Server-to-API

10. Basic Auth OAuth2 What’s the Goal of This Talk?

11. About API Keys…

12. [email protected] iLOVEc00kies! API Server(s)Website

13. 163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8 API Secret Long, random strings (uuids).

14. Let Users Have Multiple API Keys Key 1 Key 2 ID: 3c511ea2ef424dd88bc1575e7e5a2bd7 Secret: 1ae8120c1ec940638913f4e258b8f7fe ID: cc463f7aabfd4132a2211006886d05f1 Secret: 85172ea5aef144038f019b3111b5e11a

15. Creating API Keys with Stormpath req.user.createApiKey(function(err, apiKey) { if (err) throw err; console.log('New API key created!'); console.log('API Key ID:', apiKey.id); console.log('API Key Secret:', apiKey.secret); });

16. LET’S SET UP STORMPATH!

17. LET’S WRITE SOME CODE!

18. How Does Basic Auth Work? API Server(s) Authorization: Basic <base64(id:secret)> $ curl --user id:secret http://localhost:3000/api/test

19. How Does OAuth2 Work? (Step 1) API Server(s) Authorization: Basic <base64(id:secret)> Access Token $ curl --user id:secret -X POST --data grant_type=client_credentials http://localhost:3000/oauth/token

20. How Does OAuth2 Work? (Step 2) API Server(s) Authorization: Bearer <token> $ curl -H “Authorization: Bearer <token>” http://localhost:3000/api/test

21. Node & Express Resources • Talking to OAuth2 Services with Node.js https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs • What the Heck is OAuth? https://stormpath.com/blog/what-the-heck-is-oauth/ • Stormpath Express Library http://docs.stormpath.com/nodejs/express/latest/ • All Our JavaScript Integrations http://docs.stormpath.com/nodejs/

22. QUESTIONS?

23. THANK YOU