Secure API Services in Node with Basic Auth and OAuth2

Dec 10, 2015Download as pptx, pdf

4 likes1,958 views

The document outlines a presentation focused on securing API services in Node.js, detailing features of Stormpath such as user management, flexible authentication, and single sign-on integration. It includes discussions on API key creation, basic authentication, and OAuth2 implementation steps. Resources for further learning on OAuth2 services and Stormpath libraries are also provided.

Technology

Welcome!
• Agenda
• Stormpath 101 (5 mins)
• How to secure an API (25 mins)
• Q&A (30 mins)
• Claire Hunsaker
VP of Marketing & Customer Success
• Randall Degges
Node.js Evangelist

Customer Identity Poses Major Challenges

Speed to Market & Cost Reduction
• Complete Identity solution out-of-the-box
• Security best practices and updates by default
• Clean & elegant API/SDKs
• Little to code, no maintenance
Focus on Your Core Competency

Stormpath User Management
User Data
User
Workflows Google ID
Your Applications
Application SDK
Application SDK
Application SDK
ID Integrations
Facebook
Active
Directory
SAML

D’oh!
API Server(s)API Client
API Client
API Client
API Client
Internet

API Server(s)API Server(s)
Browser / Mobile
Web
API Client
Client-to-API Server-to-API

Basic Auth OAuth2
What’s the Goal of This Talk?

randall@stormpath.com
iLOVEc00kies!
API Server(s)Website

163e087c36c34fa4b4635995c29cf9b5:b6e7bd4c74cf430493fe03b2e30225f8
API Secret
Long, random strings (uuids).

Let Users Have Multiple API Keys
Key 1 Key 2
ID: 3c511ea2ef424dd88bc1575e7e5a2bd7
Secret: 1ae8120c1ec940638913f4e258b8f7fe
ID: cc463f7aabfd4132a2211006886d05f1
Secret: 85172ea5aef144038f019b3111b5e11a

Creating API Keys with Stormpath
req.user.createApiKey(function(err, apiKey) {
if (err) throw err;
console.log('New API key created!');
console.log('API Key ID:', apiKey.id);
console.log('API Key Secret:',
apiKey.secret);
});

How Does Basic Auth Work?
API Server(s)
Authorization: Basic <base64(id:secret)>
$ curl --user id:secret http://localhost:3000/api/test

How Does OAuth2 Work? (Step 1)
API Server(s)
Authorization: Basic <base64(id:secret)>
Access Token
$ curl --user id:secret
-X POST
--data grant_type=client_credentials
http://localhost:3000/oauth/token

How Does OAuth2 Work? (Step 2)
API Server(s)
Authorization: Bearer <token>
$ curl -H “Authorization: Bearer <token>”
http://localhost:3000/api/test

Node & Express Resources
• Talking to OAuth2 Services with Node.js
https://stormpath.com/blog/talking-to-oauth2-services-with-nodejs
• What the Heck is OAuth?
https://stormpath.com/blog/what-the-heck-is-oauth/
• Stormpath Express Library
http://docs.stormpath.com/nodejs/express/latest/
• All Our JavaScript Integrations
http://docs.stormpath.com/nodejs/

More Related Content

What's hot (20)

PPTX

Token Authentication for Java ApplicationsStormpath

PPTX

Browser Security 101 Stormpath

PDF

Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins

PPTX

Single-Page-Application & REST securityIgor Bossenko

PPTX

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

PDF

Super simple application security with Apache ShiroMarakana Inc.

PPTX

Secure Your REST API (The Right Way)Stormpath

PDF

ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva

PPTX

Api security teodorcotruta

PPTX

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

PDF

JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva

PPTX

Rest API SecurityStormpath

PPTX

Best Practices in Building an API Security EcosystemPrabath Siriwardena

PDF

JWTs in Java for CSRF and MicroservicesStormpath

PPTX

Spring SecurityManish Sharma

PPTX

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

PPTX

Intro to Apache ShiroClaire Hunsaker

PPTX

D@W REST securityGaurav Sharma

PPTX

Instant Security & Scalable User Management with Spring BootStormpath

PPTX

Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc

Token Authentication for Java ApplicationsStormpath

Browser Security 101 Stormpath

Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins

Single-Page-Application & REST securityIgor Bossenko

API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...CA API Management

Super simple application security with Apache ShiroMarakana Inc.

Secure Your REST API (The Right Way)Stormpath

ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva

Api security teodorcotruta

ApacheCon 2014: Infinite Session Clustering with Apache Shiro & CassandraDataStax Academy

JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva

Rest API SecurityStormpath

Best Practices in Building an API Security EcosystemPrabath Siriwardena

JWTs in Java for CSRF and MicroservicesStormpath

Spring SecurityManish Sharma

Enabling Cloud Native Security with OAuth2 and Multi-Tenant UAA Will Tran

Intro to Apache ShiroClaire Hunsaker

D@W REST securityGaurav Sharma

Instant Security & Scalable User Management with Spring BootStormpath

Securing RESTful APIs using OAuth 2 and OpenID ConnectJonathan LeBlanc

Viewers also liked (15)

PDF

Building Beautiful REST APIs in ASP.NET CoreStormpath

PPTX

Storing User Files with Express, Stormpath, and Amazon S3Stormpath

PPTX

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

PPTX

Custom Data Search with StormpathStormpath

PPTX

Stormpath 101: Spring Boot + Spring SecurityStormpath

PPTX

Spring Boot Authentication...and More! Stormpath

PPTX

Beautiful REST+JSON APIs with IonStormpath

PPTX

Build a Node.js Client for Your REST+JSON APIStormpath

PPTX

So long scrum, hello kanbanStormpath

PPTX

Elegant Rest Design WebinarStormpath

PPTX

Build A Killer Client For Your REST+JSON APIStormpath

PPTX

REST API Design for JAX-RS And JerseyStormpath

PDF

Getting Started With AngularStormpath

PDF

Build a REST API for your Mobile Apps using Node.jsStormpath

PDF

Building Beautiful REST APIs with ASP.NET CoreStormpath

Building Beautiful REST APIs in ASP.NET CoreStormpath

Storing User Files with Express, Stormpath, and Amazon S3Stormpath

Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath

Custom Data Search with StormpathStormpath

Stormpath 101: Spring Boot + Spring SecurityStormpath

Spring Boot Authentication...and More! Stormpath

Beautiful REST+JSON APIs with IonStormpath

Build a Node.js Client for Your REST+JSON APIStormpath

So long scrum, hello kanbanStormpath

Elegant Rest Design WebinarStormpath

Build A Killer Client For Your REST+JSON APIStormpath

REST API Design for JAX-RS And JerseyStormpath

Getting Started With AngularStormpath

Build a REST API for your Mobile Apps using Node.jsStormpath

Building Beautiful REST APIs with ASP.NET CoreStormpath

Similar to Secure API Services in Node with Basic Auth and OAuth2 (20)

PPT

Securing RESTful APIMuhammad Zbeedat

PDF

Protecting Your APIs Against Attack & Hijack CA API Management

PPTX

API Services: Building State-of-the-Art APIsApigee | Google Cloud

PDF

2022 APIsecure_Securing Large API EcosystemsAPIsecure_ Official

PPTX

REST API Design & DevelopmentAshok Pundit

PDF

Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...apidays

PPTX

Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin

PDF

A Complete Guide to Node.js Authentication and SecurityNaresh IT

PPTX

Unit 3_detailed_automotiving_mobiles.pptxVijaySasanM21IT

PDF

CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit

PPTX

Beautiful REST and JSON APIs - Les Hazlewoodjaxconf

PPTX

Restful apiAnurag Srivastava

PPTX

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management

PPTX

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management

PPTX

vogler good section Presentation.pptxvoglerazariah1

PDF

APIDays Paris Security Workshop42Crunch

PDF

Securing Your APIJason Austin

PPTX

APIs: The New Security LayerApigee | Google Cloud

PDF

Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman

PDF

LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat

Securing RESTful APIMuhammad Zbeedat

Protecting Your APIs Against Attack & Hijack CA API Management

API Services: Building State-of-the-Art APIsApigee | Google Cloud

2022 APIsecure_Securing Large API EcosystemsAPIsecure_ Official

REST API Design & DevelopmentAshok Pundit

Apidays Paris 2023 - Securing Microservice-based APIs, Michal Trojanowski, Cu...apidays

Rest API Security - A quick understanding of Rest API SecurityMohammed Fazuluddin

A Complete Guide to Node.js Authentication and SecurityNaresh IT

Unit 3_detailed_automotiving_mobiles.pptxVijaySasanM21IT

CIS14: Best Practices You Must Apply to Secure Your APIsCloudIDSummit

Beautiful REST and JSON APIs - Les Hazlewoodjaxconf

Restful apiAnurag Srivastava

Enterprise Access Control Patterns for REST and Web APIs Gluecon 2011, Franco...CA API Management

Best Practices You Must Apply to Secure Your APIs - Scott Morrison, SVP & Dis...CA API Management

vogler good section Presentation.pptxvoglerazariah1

APIDays Paris Security Workshop42Crunch

Securing Your APIJason Austin

APIs: The New Security LayerApigee | Google Cloud

Checkmarx meetup API Security - API Security top 10 - Erez YalonAdar Weidman

LF_APIStrat17_OWASP’s Latest Category: API UnderprotectionLF_APIStrat

Recently uploaded (20)

PPTX

New ThousandEyes Product Innovations: Cisco Live June 2025ThousandEyes

PDF

Plugging AI into everything: Model Context Protocol Simplified.pdfAbati Adewale

PPTX

Reimaginando la Ciberdefensa: De Copilots a Redes de AgentesCristian Garcia G.

PPTX

MARTSIA: A Tool for Confidential Data Exchange via Public Blockchain - Pitch ...Michele Kryston

PDF

''Taming Explosive Growth: Building Resilience in a Hyper-Scaled Financial Pl...Fwdays

PDF

GDG Cloud Southlake #44: Eyal Bukchin: Tightening the Kubernetes Feedback Loo...James Anderson

PDF

Dev Dives: Accelerating agentic automation with Autopilot for EveryoneUiPathCommunity

PDF

Hyderabad MuleSoft In-Person Meetup (June 21, 2025) SlidesRavi Tamada

PDF

Proactive Server and System Monitoring with FME: Using HTTP and System Caller...Safe Software

PPTX

Practical Applications of AI in Local GovernmentOnBoard

PDF

DoS Attack vs DDoS Attack_ The Silent Wars of the Internet.pdfCyberPro Magazine

PDF

How to Comply With Saudi Arabia’s National Cybersecurity Regulations.pdfBluechip Advanced Technologies

PPTX

The birth and death of Stars - earth and life sciencerizellemarieastrolo

PDF

Bridging CAD, IBM TRIRIGA & GIS with FME: The Portland Public Schools CaseSafe Software

PDF

Quantum AI Discoveries: Fractal Patterns Consciousness and Cyclical UniversesSaikat Basu

PDF

Automating the Geo-Referencing of Historic Aerial Photography in FlandersSafe Software

PPTX

Paycifi - Programmable Trust_Breakfast_PPTXTFinTech Belgium

PDF

Optimizing the trajectory of a wheel loader working in short loading cyclesReno Filla

PPTX

Enabling the Digital Artisan – keynote at ICOCI 2025Alan Dix

PDF

Redefining Work in the Age of AI - What to expect? How to prepare? Why it mat...Malinda Kapuruge