OAuth 2.0 is an open standard for authorization that allows third-party applications to access a user's resources from an API on their behalf with an access token. The document discusses OAuth in the context of Ember.js applications, covering topics like obtaining access tokens, scopes that categorize protected resources, and Ember libraries that implement OAuth like ember-simple-auth and ember-oauth2. It recommends using OAuth for authenticating Ember frontend applications with APIs, and when building platforms that allow third-party clients or internal applications to access resources on a user's behalf in a controlled way.

1. OAuth&2.0
Because'API
Emberfest)29/08/14

2. Theodor'Tonum
@theodorton
Developer(@(Skalar

3. Ember&=>&API

5. OAuth&101
• Open&standard&for&authoriza2on
• Access&to&a&users'&resources
• Access&tokens&represent&user&creden2als
• Can&limit&access&through&the&use&of&scopes

6. Allowing(an(applica,on(to(act(
on(your(behalf(and(access(
informa,on(from(an(
applica,on(that(you(use.
—(gmoore,(Stack(Overflow

7. Allowing(a(frontend(
applica1on(to(act(on(your(
behalf(and(access(informa1on(
from(an(API(that(you(use.

8. OAuth&is&great&for&pla1orms

9. You$now$have$a$li-le
ecosystem$of$your$own

10. Your%applica+on%is
a%small%pla/orm

12. In#house)applica/ons)and)
OAuth

13. Obtaining(an(access(token:
The(/token(endpoint
//"POST"/token
//"Content-Type:"applica5on/json
{
""""grant_type:""password",
""""username:""foo@example.com",
""""password:""none-of-your-business"
}
//"Response
{
""""access_token:""my-secret-access-token"
}

14. Implicit(authen.ca.on:
The(/me(endpoint
//"GET"/me
//"Authoriza1on:"Bearer"my6secret6access6token
{
""""users:"[{
""""""""id:"1,
""""""""name:""Foo"Bar",
""""""""email:""foo@example.com"
""""}]
}

15. The$access$token$must$always$be$
included$in$the$Authoriza7on$header.

16. Ember&library
ember%simple%auth

17. Third&party+applica.ons+and+
OAuth

18. Obtaining(an(access(token:
The(/oauth/authorize(endpoint
var$redirectUri$=$encodeURIComponent("h6p://www.myapp.com/redirect.html");
window.loca?on$=$"h6p://www.example.com/oauth/authorize?"+
$$"response_type=token&"+
$$"client_id=CLIENT_ID&"+
$$"scopes=public"+
$$"redirect_uri="+redirectUri;

20. Receiving(the(token
//"Success"returns"to:
".../redirect.html#access_token=my:secret:access:token"
//"Fail
".../redirect.html#error=access_denied"

22. Scopes
• Categorizes,resources,(and,ac2ons),you,want,to,
protect
• Combina2on,of,nouns,and,verbs
• Presented,to,the,user,in,the,authoriza2on,step
• Examples,from,Github:,user,,public_repo,,
delete_repo

23. Ember&library
ember%oauth2

24. Authen'ca'on+is+a+means+to+an+end,
you+want+access+to+resources
• Not%part%of%the%domain
• Authoriza3on%is%clear%with%its%intent:
"I%want%access%to%your%resource%X"
• Makes%perfect%sense%for%third?party%apps
• In?house%apps%are%authorized%by%default%(skip%UI)
• Note:%OAuth%doesn't%replace%Devise%or%whatever%
authen3ca3on%library%you%use%on%the%server

25. Let's&talk&about&pla.orm

26. Your%data%may%go%places%you've%never%
expected

27. Third&party+applica.ons+are+good

28. Users%create%their%own%small%
applica1ons
IFTTT$&$Zapier$makes$users$into$developers

29. When%does%it%make%sense?
• The$modern$web$app"You"have"separated"frontend"
and"backend"with"an"Ember8app"and"an"API,"and"
you"need"a"way"of"authen>ca>ng"with"the"API
• The$pla/orm"You're"building"a"plaBorm,"want"to"let"
developers"create"third8party"clients"and"you"care"
about"your"users
• Organiza4on"Your"organiza>on"manages"a"several"
applica>ons"and"you"want"to"turn"authen>ca>on"
and"authoriza>on"into"a"service

30. Main%problems%with%OAuth?

31. For$clients:
Opinionated$
implementa2ons

32. For$providers:
Opinionated$libraries

33. Summary
• Modern(mechanism(for(auth
• Control(over(third5party(applica8ons
• Made(with(Ember.js(in(mind(5(so(simple!

34. Ques%ons?