O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

I Don't Care About Security (And Neither Should You)

10 de Ago de 2018
1 gostou 193 visualizações
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Carregando em…3
×

Confira estes a seguir

Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
Clean code
iamAnaCortes
Error found
sikushina
Elasticsearch for Pharo Smalltalk
Sho Yoshida
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
Speeding up Red Team engagements with carnivorall
Nullbyte Security Conference
Dr.Repi
Driton Haliti
JWT - To authentication and beyond!
Luís Cobucci
1 de 98 Anúncio

I Don't Care About Security (And Neither Should You)

10 de Ago de 2018
1 gostou 193 visualizações

Baixar para ler offline

Internet

Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.

Remember when setting up an auth system was easy? Me neither. From the signup form, the login form, password reset form, and all the validation in between it can easily take weeks if not months to get something basic up and running. Then you have to deal with all the security considerations. No thanks. During this presentation, the attendees will be introduced to OpenID and OAuth. They will learn how to leverage these technologies to create secure applications, but most importantly, they will learn why and how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.

Internet
Anúncio

Recomendadas

I Don't Care About Security (And Neither Should You)
Joel Lord
123 visualizações
99 slides
I Don't Care About Security
Joel Lord
247 visualizações
96 slides
PHP Identity and Data Security
Jonathan LeBlanc
32.5k visualizações
41 slides
Node.js Authentication and Data Security
Jonathan LeBlanc
2.9k visualizações
35 slides
Ruby Robots
Daniel Cukier
2k visualizações
47 slides
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
6.2k visualizações
15 slides
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
1.3k visualizações
29 slides
Protecting the Future of Mobile Payments
Jonathan LeBlanc
1.8k visualizações
25 slides
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
677 visualizações
Clean code
iamAnaCortes
1.4k visualizações
Error found
sikushina
644 visualizações
Elasticsearch for Pharo Smalltalk
Sho Yoshida
2.1k visualizações
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
11.9k visualizações
Speeding up Red Team engagements with carnivorall
Nullbyte Security Conference
802 visualizações
Dr.Repi
Driton Haliti
216.8k visualizações
JWT - To authentication and beyond!
Luís Cobucci
3.7k visualizações
Representing Material Culture Online: Historic Clothing in Omeka
Arden Kirkland
1k visualizações
Havij dork
iyusrusnadi
80.8k visualizações
前端概述
Ethan Zhang
560 visualizações
R57php 1231677414471772-2
ady36
1.8k visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
232 visualizações
A bug bounty tale: Chrome, stylesheets, cookies, and AES
cgvwzq
304 visualizações
Yuriy Voziy "Fantastic Template Strings and Where to Use Them"
LogeekNightUkraine
81 visualizações
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
7.6k visualizações
Index chrome
Heverton Peres
159k visualizações
FrontInBahia 2014: 10 dicas de desempenho para apps mobile híbridas
Loiane Groner
1.5k visualizações
T1
TH Schee
1.2k visualizações
Anex....,,,.
Carlos Catanejo
36.2k visualizações
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
677 visualizações
23 slides
Clean code
iamAnaCortes
1.4k visualizações
25 slides
Error found
sikushina
644 visualizações
10 slides
Elasticsearch for Pharo Smalltalk
Sho Yoshida
2.1k visualizações
36 slides
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
11.9k visualizações
63 slides
Speeding up Red Team engagements with carnivorall
Nullbyte Security Conference
802 visualizações
23 slides

Semelhante a I Don't Care About Security (And Neither Should You) (20)

I Don't Care About Security (And Neither Should You)
Joel Lord
208 visualizações
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
3.5k visualizações
Advanced CSRF and Stateless Anti-CSRF
johnwilander
7.6k visualizações
Securing Java EE Web Apps
Frank Kim
4.8k visualizações
Quick run in with Swagger
Mesh Korea
3.9k visualizações
Building a real life application in node js
fakedarren
20.3k visualizações
Finding things on the web with BOSS
Christian Heilmann
795 visualizações
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
368 visualizações
How to test complex SaaS applications - The family july 2014
Guillaume POTIER
669 visualizações
Api
randyhoyt
919 visualizações
Twas the night before Malware...
DoktorMandrake
32k visualizações
Going realtime with Socket.IO
Christian Joudrey
7.5k visualizações
External Data Access with jQuery
Doncho Minkov
18.1k visualizações
Make WordPress realtime.
Josh Hillier
1.6k visualizações
Roll Your Own API Management Platform with nginx and Lua
Jon Moore
47.4k visualizações
REST with Eve and Python
PiXeL16
1.9k visualizações
How to implement golang jwt authentication and authorization
Katy Slemon
70 visualizações
Token Based Authentication Systems
Hüseyin BABAL
1.3k visualizações
Mojolicious. Веб в коробке!
Anatoly Sharifulin
786 visualizações
API Pain Points (PHPNE)
Phil Sturgeon
2.6k visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
208 visualizações
99 slides
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
3.5k visualizações
41 slides
Advanced CSRF and Stateless Anti-CSRF
johnwilander
7.6k visualizações
92 slides
Securing Java EE Web Apps
Frank Kim
4.8k visualizações
40 slides
Quick run in with Swagger
Mesh Korea
3.9k visualizações
17 slides
Building a real life application in node js
fakedarren
20.3k visualizações
37 slides
Anúncio

Mais de Joel Lord (20)

From Ceasar Cipher To Quantum Cryptography
Joel Lord
403 visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
669 visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
157 visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
321 visualizações
Forgot Password? Yes I Did!
Joel Lord
431 visualizações
I Don't Care About Security (And Neither Should You)
Joel Lord
153 visualizações
Mot de passe oublié? Absolument!
Joel Lord
192 visualizações
Asynchronicity: concurrency. A tale of
Joel Lord
283 visualizações
Learning Machine Learning
Joel Lord
451 visualizações
Forgot Password? Yes I Did!
Joel Lord
295 visualizações
WTH is a JWT
Joel Lord
909 visualizações
Forgot Password? Yes I Did!
Joel Lord
112 visualizações
WTH is a JWT
Joel Lord
310 visualizações
Asynchonicity: concurrency. A tale of
Joel Lord
358 visualizações
Secure your SPA with Auth0
Joel Lord
328 visualizações
Learning Machine Learning
Joel Lord
343 visualizações
Learning Machine Learning
Joel Lord
241 visualizações
Rise of the Nodebots
Joel Lord
260 visualizações
Let's Get Physical
Joel Lord
279 visualizações
Learning About Machine Learning
Joel Lord
308 visualizações
From Ceasar Cipher To Quantum Cryptography
Joel Lord
403 visualizações
185 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
669 visualizações
131 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
157 visualizações
128 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
321 visualizações
121 slides
Forgot Password? Yes I Did!
Joel Lord
431 visualizações
61 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
153 visualizações
126 slides

Mais recentes (20)

003065 MC JZ CUMI.pdf
YenniOktavia1
2 visualizações
React js developers for hire
AlifiyaMustafa2
2 visualizações
Chapter_12.ppt
Suresh Waghmode
3 visualizações
ABN Oppa - IT Operations 2023 - EN .pdf
Steven Nguyen
2 visualizações
pythagthm.ppt
nestthecasidsid2
2 visualizações
Welcome address for lamp lighting ceremony.pptx
anjalatchi
3 visualizações
Chat Bot .pptx
analyticsdada
4 visualizações
Internet_Addiction.pptx
ssuserd66a40
2 visualizações
WORLD GLUCOMA DAY AWARENESS DAY 2023 (2).pptx
anjalatchi
3 visualizações
UNIT 1 FOC.pptx
AnchalLuthra3
2 visualizações
S05.s2-Preparación para la PC1 (material) 2022 marzo.docx
AntonyTarazonaPielag
5 visualizações
wirelessnetworks-ppt-140909071911-phpapp02.pdf
kouyepwanko
2 visualizações
111.pptx
JESUNPK
2 visualizações
Apply Problem Solving Techniques to Routine Malfunctions.pptx
wesendesta2
2 visualizações
CONCURRENT TERNARY GALOIS-BASED COMPUTATION USING NANO-APEX MULTIPLEXING NIBS...
VLSICS Design
3 visualizações
Importance of hand washing.pptx
anjalatchi
3 visualizações
Trends That Will Drive the Future of Mobile Apps.pdf
Alakmalak Technologies Pvt. Ltd.
0 visualizações
Labour Room Quality Improvement Initiative (LaQshya).pptx
anjalatchi
2 visualizações
examen mensual de personal social.docx
GustavoArguedas2
3 visualizações
01-Decomposição.pdf
RaquelRodrigues225
2 visualizações
003065 MC JZ CUMI.pdf
YenniOktavia1
2 visualizações
1 slide
React js developers for hire
AlifiyaMustafa2
2 visualizações
1 slide
Chapter_12.ppt
Suresh Waghmode
3 visualizações
27 slides
ABN Oppa - IT Operations 2023 - EN .pdf
Steven Nguyen
2 visualizações
15 slides
pythagthm.ppt
nestthecasidsid2
2 visualizações
16 slides
Welcome address for lamp lighting ceremony.pptx
anjalatchi
3 visualizações
17 slides
Anúncio

I Don't Care About Security (And Neither Should You)

  1. 1. I Don’t Care About Security And Neither Should You
  2. 2. @joel__lord #SFNode About Me @joel__lord joellord
  3. 3. @joel__lord #midwestjs About Me @joel__lord joellord
  4. 4. @joel__lord #midwestjs OAuth - Flows Authorization Code
  5. 5. @joel__lord #midwestjs OAuth - Flows Authorization Code
  6. 6. @joel__lord #midwestjs OAuth - Flows Authorization Code
  7. 7. That reminds me of OAuth!
  8. 8. @joel__lord #midwestjs OAuth - Flows Authorization Code
  9. 9. @joel__lord #midwestjs OAuth - Flows Authorization Code
  10. 10. @joel__lord #midwestjs OAuth - Flows Authorization Code
  11. 11. @joel__lord #midwestjs OAuth - Flows Authorization Code
  12. 12. @joel__lord #midwestjs OAuth - Flows Authorization Code
  13. 13. @joel__lord #midwestjs OAuth - Flows Authorization Code
  14. 14. But Why?
  15. 15. Delegation!
  16. 16. Traditional Applications ! Browser requests a login page
  17. 17. Traditional Applications ! Browser requests a login page
  18. 18. Traditional Applications ! Browser requests a login page
  19. 19. Traditional Applications ! Browser requests a login page ! The server validates on its database
  20. 20. Traditional Applications ! Browser requests a login page ! The server validates on its database 👍
  21. 21. Traditional Applications ! Browser requests a login page ! The server validates on its database ! It creates a session and provides a cookie identifier
  22. 22. What’s wrong with traditional auth? ! Multiple platforms connecting to your application
  23. 23. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled
  24. 24. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API
  25. 25. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
  26. 26. OAuth
  27. 27. OAuth - The Flows Authorization Code
  28. 28. @joel__lord #midwestjs Authentication Flows Authorization Code
  29. 29. @joel__lord #midwestjs Authentication Flows Authorization Code
  30. 30. @joel__lord #midwestjs Authentication Flows Authorization Code
  31. 31. @joel__lord #midwestjs Authentication Flows Authorization Code
  32. 32. @joel__lord #midwestjs Authentication Flows Authorization Code
  33. 33. @joel__lord #midwestjs Authentication Flows Authorization Code
  34. 34. OAuth - The Flows Implicit Flow
  35. 35. @joel__lord #midwestjs Authentication Flows Implicit Flow
  36. 36. @joel__lord #midwestjs Authentication Flows Implicit Flow
  37. 37. @joel__lord #midwestjs Authentication Flows Implicit Flow
  38. 38. @joel__lord #midwestjs Authentication Flows Implicit Flow
  39. 39. @joel__lord #midwestjs Authentication Flows Implicit Flow
  40. 40. @joel__lord #midwestjs Authentication Flows Implicit Flow
  41. 41. Tokens 101
  42. 42. @joel__lord #midwestjs OAuth Tokens Access Token Refresh Token ! Give you access to a resource ! Controls access to your API ! Short lived ! Enables you to get a new token ! Longed lived ! Can be revoked
  43. 43. @joel__lord #midwestjs OAuth Tokens Refresh Token ! Enables you to get a new token ! Longed lived ! Can be revoked
  44. 44. @joel__lord #midwestjs OAuth Tokens Refresh Token ! Enables you to get a new token ! Longed lived ! Can be revoked
  45. 45. @joel__lord #midwestjs OAuth Tokens ! WS-Federated ! SAML ! JWT ! Custom stuff ! More…
  46. 46. JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "scope": "posts:read posts:write" } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  47. 47. JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  48. 48. JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  49. 49. JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io
  50. 50. Codiiiing Time!
  51. 51. Auth Server API var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.json()); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.status(200).send({token: token}); }); app.get('*', function (req, res) { res.sendStatus(404); }); module.exports = Webtask.fromExpress(app); var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.urlencoded()); app.get("/login", function(req, res) { var loginForm = "<form method='post'><input type=hidden name=callback value='" + req.query.callback + "'><input type=text name=username /><input type=text name=password / ><input type=submit></form>"; res.status(200).send(loginForm); }); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); }); app.get('*', function (req, res) { res.sendStatus(404); });
  52. 52. @joel__lord #midwestjs Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  53. 53. @joel__lord #midwestjs Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  54. 54. @joel__lord #midwestjs Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  55. 55. @joel__lord #midwestjs Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  56. 56. @joel__lord #midwestjs Auth Server // Requires ... var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ];
  57. 57. @joel__lord #midwestjs Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  58. 58. @joel__lord #midwestjs Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  59. 59. @joel__lord #midwestjs Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  60. 60. @joel__lord #midwestjs Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  61. 61. @joel__lord #midwestjs Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  62. 62. @joel__lord #midwestjs Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  63. 63. @joel__lord #midwestjs Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8080, () => console.log("Auth server running on 8080"));}
  64. 64. @joel__lord #midwestjs API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  65. 65. @joel__lord #midwestjs API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  66. 66. @joel__lord #midwestjs API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  67. 67. @joel__lord #midwestjs API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  68. 68. @joel__lord #midwestjs API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  69. 69. @joel__lord #midwestjs API // Requires ... var jwtCheck = expressjwt({ secret: "mysupersecret" });
  70. 70. @joel__lord #midwestjs API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  71. 71. @joel__lord #midwestjs API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  72. 72. @joel__lord #midwestjs API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  73. 73. @joel__lord #midwestjs API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  74. 74. @joel__lord #midwestjs API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8888, () => console.log("API listening on 8888"));
  75. 75. @joel__lord #midwestjs Front-End Add the headers
  76. 76. Live Demo https://github.com/joellord/ secure-spa-auth0
  77. 77. Delegation!
  78. 78. Introducing OpenID Connect
  79. 79. @joel__lord #midwestjs OpenID Connect ! Built on top of OAuth 2.0 ! OpenID Connect (OIDC) is to OpenID what Javascript is to Java ! Provides Identity Tokens in JWT format ! Uses a /userinfo endpoint to provide the info
  80. 80. @joel__lord #midwestjs OpenID Connect Scopes ! openid ! profile ! email ! address ! phone
  81. 81. @joel__lord #midwestjs OpenID Connect Flows Authorization Code scope=openid%20profile
  82. 82. @joel__lord #midwestjs Authentication Flows Authorization Code
  83. 83. @joel__lord #midwestjs Authentication Flows Authorization Code
  84. 84. @joel__lord #midwestjs Authentication Flows Authorization Code /userinfo
  85. 85. @joel__lord #midwestjs OpenID Connect Full flow https://openidconnect.net
  86. 86. Delegation!
  87. 87. I Don’t Care About Security @joel__lord joellord MidwestJS, Minneapolis, MN August 10, 2018

×