5. I want to add lesystem feature to my application?
https://developers.google.com/drive/v3/web/about-sdk
Manage Files and Folders
Enable collaboration
Detect changes and
revisions
Using Google Drive features
6. FileSystem as a Service
$fileMetadata = new Google_Service_Drive_DriveFile([
'name' => 'photo.jpg'
]);
$file = $driveService->files->create($fileMetadata, [
'data' => file_get_contents("/tmp/photo.jpg"),
'mimeType' => 'image/jpeg',
'uploadType' => 'multipart',
'fields' => 'id'
]);
7. Or think about AWS services:
S3 lesystem
Lambda
code as a service: image cropping etc...
ElasticTranscoder video encoding
SQS distributed queues
SNS distributed noti cations
8. Or think about Docker
an API wraps completely the Docker Engine
Code as a service
Background tasks as a
service
Think how much Docker is di erent thanks to its own API system
than other services that you cannot control programmatically
9. API to turn ON/OFF a light bulb
Now a simple light bulb have a unique address in the world (URI)
Continuous Integration - Turn ON on
errors
Crepuscular relay for home automation
...
POST /light/1 {"high": true}
POST /light/1 {"high": false}
GET /light/1
10. So we can decouple our system to di erent and
reusable parts (services)
11. So now we have a machine-to-machine system,
how we can authenticate and authorize actions?
12. The most simple way to authenticate is:
Basic Authentication
Example:
BASE64({username}:{password})
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF-8
Content-Length: 2
Connection: close
X-Records-Count: 0
X-Records-Page: 1
X-Records-Total: 0
[]
13. If i change the password the basic token changes,
or if a never change a password the token never
change (expire)...
14. If you allows multiple passwords you have a token
based authentication system
Create a login endpoint [POST /v1/login]
User send username and password
A new password (randomly generated) is created
This randomly generated password is an authentication
token
So the token is used as a validation mechanism
We can integrate JWT to wrap the base token
You can add: expire, refresh, revoke features to complete your auth system
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Bearer 35deb6aab84648dc2423cb61d3fceaa6c869a7aa
16. With this authentication scheme, can we handle
the authorization?
Yes, typically role based (ADMIN, USER, etc)
17. This authorization scheme works well with tiny
application with a limited API access or reserved
API
With this scheme we grant authorizations over a given resource per user role and not
with a ne grained method
$this->denyUnlessAuthorized($user, $resource));
18. if i want to grant only limited authorizations to
external applications?
How to handle the privacy problem and grant only a limited set of privileges?
19. Third party applications?
With the basic auth i have to pass my credential to that application!
With token auth i cannot control the data access because external application use my
current role!
We join di erent APIs togheter right?
20.
21. OAuth2 is related to Authorization and not Authentication
User centered (focus on third party application data access)
Scope based authorization
Di erent token scheme generation
Secured via HTTPs (like basic auth, token auth...)
Mainly for distributed infrastructures
SOA, microservices...
23. OAuth2 scheme allows clients (third party
application) to access to the user information only
after a user grant
User (is you)
Client (third-party)
Resource (information owned by you)
Authorization grant (that you give to the
client)
24. OAuth2
You grant a limited set of privileges (scopes) to
a resource (that you own) to an external
application (the client)
25. With OAuth2, the token is linked with a list of
scopes and who have that token can access to
resources in a limited way, depening on the scope
list.
26. Scopes: -
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF-8
Connection: close
{
"id": 1
}
27. Scopes: email
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF-8
Connection: close
{
"id": 1,
"username": "walter.dalmut@gmail.com"
}
28. Scopes: email pro le:read
GET /user HTTP/1.1
Host: api.walterdalmut.com
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Encoding: UTF-8
Connection: close
{
"id": 1,
"username": "walter.dalmut@gmail.com",
"firstname": "Walter",
"lastname": "Dal Mut",
"avatarUrl": "https://s.gravatar.com/avatar/d177b2782f268f068952ed05dd52ee01?size=496&default=retro",
"jobPosition": "Engineer",
"signupDate": "2017-04-05T14:49:26+00:00"
}
30. 4 [5] ways to get an authorization token
Authorization code
Implicit (javascript
clients)
Password
Client credentials
Refresh token
A token, access or refresh it doesn't matter, must expires in an amount of time and
those tokens can also be revoked by the resource owner.
31. Authorization code exchange
AngularJs is not able to keep the OAuth2 credential as a secret so the App Server
(Third Party app) will keep it and exchange the authorization code with a token using
also the client credentials
37. It is a privileged application in our network that allows user credentials sharing to
simplify the user login procedure (with backend support)
academy.corley.it (example of password ow)
39. OAuth2 will generate 2 tokens: access_token and
refresh_token.
The refresh token is not used to access to resources but only to generate a new token
without the whole generation handshake.
access_token (expires in 1 hour)
refresh_token (expires in 1 month)