Upload File

adding authentication to angular appsapi security? sessions?cookies? tokens?! authentication basics...

  • Home
  • Documents
  • ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication
112
@KimMaida ADDING AUTHENTICATION TO ANGULAR APPS

Upload: others

Post on 30-Mar-2020

19 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

ADDING AUTHENTICATION TO ANGULAR APPS

Page 2: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Hello! I’m Kim Maida

Manager, Community & Technical Content at Auth0 Angular Google Developer Expert

Page 3: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

“How do I secure my Angular app?”

Page 4: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

“How can I properly add authentication to my app to protect my data from unauthorized access?”

Page 5: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

API security? Sessions? Cookies? Tokens?

Page 6: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

API security? Sessions? Cookies? Tokens?

😵

Page 7: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

AUTHENTICATION BASICS FOR WEB APPS

Page 8: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Traditional web app authentication

Page 9: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 10: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 11: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 12: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 13: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 14: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

</>HTML + Data

Page 15: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

Page 16: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

302HTML Error

Page 17: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

302

302HTML Error

?

Page 18: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Authentication with Cookie-based Sessions

</>HTML + Data

Page 19: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

What about Single Page Apps?

Page 20: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 21: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 22: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 23: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 24: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

{;}JSON

Page 25: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Why not use cookie-based auth?

🤔

Page 26: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Two Issues

Page 27: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Issue 1: APIs on Other Domains

my-domain.com

other-domain.com

X

Page 28: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

You (maybe): “No problem, everything is on one domain!”

$

Page 29: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

One more shortcoming

Page 30: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Issue 2: Authentication via Redirects & Ajax Calls

App Using Cookie-based Sessions

302

Page 31: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Issue 2: Authentication via Redirects & Ajax Calls

Single Page ApplicationApp Using Cookie-based Sessions

302?

Page 32: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Address these issues with token-based auth

Page 33: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 34: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 35: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

#

Page 36: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 37: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

#

Page 38: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Don’t Store Sensitive Data in Local Storage

Page 39: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Local Storage Security Concerns

! XSS can be used to steal all data in local storage

! XSS can be used to load malicious data into local storage

! Local Storage is shared within an origin

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage

Page 40: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Page 41: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 42: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

#

Page 43: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Single Page Application

Page 44: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Use Tokens to Call APIs

{;}JSON Data

Page 45: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Use Tokens to Call APIs

my-domain.com

other-domain.com

Page 46: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Solves the 2 Issues

1. APIs on other domains

2. Authentication via Redirects & Ajax Calls✅

Page 47: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

HOW DOES ANGULAR HELP?

Page 48: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Attach token to API requests

Restrict access to certain routes

Page 49: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Attach token to API requests

Restrict access to certain routes

Page 50: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Send token with API requests

Restrict access to certain routes

Page 51: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Send token with API requests

Restrict access to certain routes

Page 52: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TODO: Manage authentication events

Page 53: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Page 54: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create streams from callbacks

Page 55: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

Page 56: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

Page 57: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

Page 58: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

Page 59: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

Page 60: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create streams of auth data

Page 61: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create Auth Streams with RxJS

user$ = new BehaviorSubject<any>(null);

setAuth(authResult) { this.user$ .next(authResult.idTokenPayload); … }

Page 62: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create Auth Streams with RxJS

user$ = new BehaviorSubject<any>(null);

setAuth(authResult) { this.user$ .next(authResult.idTokenPayload); … }

Page 63: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create Auth Streams with RxJS

user$ = new BehaviorSubject<any>(null);

setAuth(authResult) { this.user$ .next(authResult.idTokenPayload); … }

Page 64: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Create Auth Streams with RxJS

user$ = new BehaviorSubject<any>(null);

setAuth(authResult) { this.user$ .next(authResult.idTokenPayload); … }

Page 65: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Use Auth Streams

<div *ngIf="(auth.user$ | async) as user"> <h1>{{ user.name }} </h1> </div>

Page 66: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

…and more

Page 67: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Send token with API requests

Restrict access to certain routes

Page 68: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TODO: Send token with API requests

Page 69: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

HTTP Interceptors

Page 70: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

HTTP Interceptors

Interceptor Service{Authorization:`Bearer `}

Page 71: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

App Routing NgModule

@NgModule({ ...,

providers: [

AuthService,

{

provide: HTTP_INTERCEPTORS,

useClass: TokenInterceptor,

multi: true

}

], ...

Page 72: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

App Routing NgModule

@NgModule({ ...,

providers: [

AuthService,

{

provide: HTTP_INTERCEPTORS,

useClass: TokenInterceptor,

multi: true

}

], ...

Page 73: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

App Routing NgModule

@NgModule({ ...,

providers: [

AuthService,

{

provide: HTTP_INTERCEPTORS,

useClass: TokenInterceptor,

multi: true

}

], ...

Page 74: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

App Routing NgModule

@NgModule({ ...,

providers: [

AuthService,

{

provide: HTTP_INTERCEPTORS,

useClass: TokenInterceptor,

multi: true

}

], ...

Page 75: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TokenInterceptor Service

@Injectable()

export class TokenInterceptor implements HttpInterceptor {

constructor(private auth: AuthService) { }

intercept(req: HttpRequest<any>, next: HttpHandler) {

const tokenReq = req.clone({

setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq);

}

}

Page 76: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TokenInterceptor Service

@Injectable()

export class TokenInterceptor implements HttpInterceptor {

constructor(private auth: AuthService) { }

intercept(req: HttpRequest<any>, next: HttpHandler) {

const tokenReq = req.clone({

setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq);

}

}

Page 77: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TokenInterceptor Service

@Injectable()

export class TokenInterceptor implements HttpInterceptor {

constructor(private auth: AuthService) { }

intercept(req: HttpRequest<any>, next: HttpHandler) {

const tokenReq = req.clone({

setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq);

}

}

Page 78: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TokenInterceptor Service

@Injectable()

export class TokenInterceptor implements HttpInterceptor {

constructor(private auth: AuthService) { }

intercept(req: HttpRequest<any>, next: HttpHandler) {

const tokenReq = req.clone({

setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq);

}

}

Page 79: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Conditional Interceptors

Page 80: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Conditional Logic in Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { if (req.url.indexOf('private') > -1) { const tokenReq = req.clone({ setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq); } return next.handle(req);

}

Page 81: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Conditional Logic in Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { if (req.url.indexOf('private') > -1) { const tokenReq = req.clone({ setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq); } return next.handle(req);

}

Page 82: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Conditional Logic in Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { if (req.url.indexOf('private') > -1) { const tokenReq = req.clone({ setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq); } return next.handle(req);

}

Page 83: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Conditional Logic in Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { if (req.url.indexOf('private') > -1) { const tokenReq = req.clone({ setHeaders: {Authorization: `Bearer ${this.auth.token}`}

});

return next.handle(tokenReq); } return next.handle(req);

}

Page 84: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Asynchronous Interceptors

Page 85: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Async Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { return this.auth.token$.pipe( mergeMap(token => { if (token) { const tokenReq = req.clone({ setHeaders: {Authorization:`Bearer ${token}`} }); return next.handle(tokenReq); } }) );} }

Page 86: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Async Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { return this.auth.token$.pipe( mergeMap(token => { if (token) { const tokenReq = req.clone({ setHeaders: {Authorization:`Bearer ${token}`} }); return next.handle(tokenReq); } }) );} }

Page 87: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Async Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { return this.auth.token$.pipe( mergeMap(token => { if (token) { const tokenReq = req.clone({ setHeaders: {Authorization:`Bearer ${token}`} }); return next.handle(tokenReq); } }) );} }

Page 88: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Async Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { return this.auth.token$.pipe( mergeMap(token => { if (token) { const tokenReq = req.clone({ setHeaders: {Authorization:`Bearer ${token}`} }); return next.handle(tokenReq); } }) );} }

Page 89: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Send token with API requests

Restrict access to certain routes

Page 90: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

TODO: Restrict access to certain routes

Page 91: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards

Page 92: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Guard Interfaces - CanActivate

Page 93: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Guard Interfaces - CanActivateChild

Page 94: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Guard Interfaces - CanLoad

Page 95: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate App Routes

import { AuthGuard } from './auth.guard';

export const ROUTES: Routes = [

{

path: 'profile',

component: ProfileComponent,

canActivate: [ AuthGuard ]

}

];

Page 96: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate App Routes

import { AuthGuard } from './auth.guard';

export const ROUTES: Routes = [

{

path: 'profile',

component: ProfileComponent,

canActivate: [ AuthGuard ]

}

];

Page 97: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate App Routes

import { AuthGuard } from './auth.guard';

export const ROUTES: Routes = [

{

path: 'profile',

component: ProfileComponent,

canActivate: [ AuthGuard ]

}

];

Page 98: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate Service

@Injectable()

export class AuthGuard implements CanActivate {

constructor(private auth: AuthService, public router: Router) {}

canActivate(): boolean {

if (!this.auth.isAuthenticated()) {

this.router.navigate(['login']);

return false;

}

return true;

}

}

Page 99: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate Service

@Injectable()

export class AuthGuard implements CanActivate {

constructor(private auth: AuthService, public router: Router) {}

canActivate(): boolean {

if (!this.auth.isAuthenticated()) {

this.router.navigate(['login']);

return false;

}

return true;

}

}

Page 100: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate Service

@Injectable()

export class AuthGuard implements CanActivate {

constructor(private auth: AuthService, public router: Router) {}

canActivate(): boolean {

if (!this.auth.isAuthenticated()) {

this.router.navigate(['login']);

return false;

}

return true;

}

}

Page 101: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanActivate Service

@Injectable()

export class AuthGuard implements CanActivate {

constructor(private auth: AuthService, public router: Router) {}

canActivate(): boolean {

if (!this.auth.isAuthenticated()) {

this.router.navigate(['login']);

return false;

}

return true;

}

}

Page 102: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Guarded Lazy Loading

Page 103: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Lazy Loading with CanLoad Guard

export const ROUTES: Routes = [

{

path: 'admin',

loadChildren: './admin/admin.module#AdminModule',

canLoad: [ RoleGuard ],

data: { expectedRole: 'admin' }

}

];

Page 104: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Lazy Loading with CanLoad Guard

export const ROUTES: Routes = [

{

path: 'admin',

loadChildren: './admin/admin.module#AdminModule',

canLoad: [ RoleGuard ],

data: { expectedRole: 'admin' }

}

];

Page 105: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Lazy Loading with CanLoad Guard

export const ROUTES: Routes = [

{

path: 'admin',

loadChildren: './admin/admin.module#AdminModule',

canLoad: [ RoleGuard ],

data: { expectedRole: 'admin' }

}

];

Page 106: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Lazy Loading with CanLoad Guard

export const ROUTES: Routes = [

{

path: 'admin',

loadChildren: './admin/admin.module#AdminModule',

canLoad: [ RoleGuard ],

data: { expectedRole: 'admin' }

}

];

Page 107: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanLoad

@Injectable()

export class RoleGuard implements CanLoad {

constructor(private auth: AuthService) {}

canLoad(route: Route): boolean {

if (!this.auth.isAuthenticated() ||

!this.auth.hasRole(route.data.expectedRole)) {

this.auth.login();

return false;

} …

Page 108: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanLoad

@Injectable()

export class RoleGuard implements CanLoad {

constructor(private auth: AuthService) {}

canLoad(route: Route): boolean {

if (!this.auth.isAuthenticated() ||

!this.auth.hasRole(route.data.expectedRole)) {

this.auth.login();

return false;

} …

Page 109: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Route Guards - CanLoad

@Injectable()

export class RoleGuard implements CanLoad {

constructor(private auth: AuthService) {}

canLoad(route: Route): boolean {

if (!this.auth.isAuthenticated() ||

!this.auth.hasRole(route.data.expectedRole)) {

this.auth.login();

return false;

} …

Page 110: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Angular Authentication TODO List

Manage authentication events

Send token with API requests

Restrict access to certain routes

Page 111: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Page 112: ADDING AUTHENTICATION TO ANGULAR APPSAPI security? Sessions?Cookies? Tokens?! AUTHENTICATION BASICS FOR WEB APPS @KimMaida Traditional web app authentication @KimMaida Authentication

@KimMaida

Adding Authentication to Angular Apps

bit.ly/angularmix-adding-auth

Thank you!


Security Policy 30 Nov 08 - NIST · however, the operation and use of tokens for dual-factor authentication by the module is identical for the following tokens and smartcards that

Advances of USB Strong Authentication Tokens · Bank = AOL ? “Demonize-T” ... One time password calculation and display 33 ... Advances of USB Strong Authentication Token CTST

20181021 - Cookies vs tokens - A paradoxial choice (AppSec ... · Authentication Authorization t @PhilippeDeRyck ... ASYMMETRICJWT SIGNATURES 17 payload yxzN...sFno= GENERATESIGNATURE

Hard Tokens vs. Soft Tokens - Home | NetIQ Tokens vs. Soft Tokens: Why Soft Tokens Are the Better Option Shortcomings of Hard Tokens: Limited deployments Device and management costs

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie

Hard Times Tokens Part One – Political Tokens

U2F Authentication Tokens - Cryptsoft · FIDO compliant second factor authentication token U2F Authentication Tokens Cryptsoft and Feitian have collaborated to deliver a Fast IDentity

Locally Centralized, Globally Distributed Authentication ... · Indeed, there is a variety of ways to implement tokens for authentication in computer systems. Passwords are the most

Using JSON Web Tokens for REST Authentication

RSA Authentication Manager 8 - Amazon S3...RSA Authentication Manager 8.2 2 Over 25,000 customers 50 –60 million active tokens in circulation 10 million units shipped per year More

CIS14: Bringing Crypto Back: Web Authentication without Bearer Tokens

4TRESS® Authentication Appliance for TEMENOS ARC · PDF file4TRESS Authentication Appliance supports a broad range of hardware tokens, smart cards and software tokens. 4TRESS Authentication

identification and authentication tokensdecockd/slides/20190606...2019/06/06  · Identification & Authentication Chips & Tokens Identification Requires passive interaction Visually

Making Graphic-Based Authentication Secure against Smudge Attacks · 2013-03-26 · deduce formerly entered data, authentication tokens are jeop-ardized. Most notably, grid-based

How to Download, Install, and Run Consent2Share...Authentication Server For authentication, authorization, issuing tokens for client applications, and user account management Implements

MultiFactor - CSADay 2015cd-docdb.fnal.gov › cgi-bin › RetrieveFile?docid=5609&... · Multifactor authentication technologies • Security tokens: Small hardware devices such

The new CERN Authentication and Authorization...The new CERN Authentication and Authorization 10 Users Web app Grid nodes OAuth2/OIDC Tokens Kerberos app (AFS, LxPlus) Token conversion

Information Security CS 526 - Purdue University Authentication via Cookies •HTTP is stateless –How does the server recognize a user who has signed in? •Servers can use cookies

€¦ · Configuring authentication using RSA SecurID tokens ................68 Authentication workflow for tokens in new PIN mode ...............69 Using token authentication

Advanced Authentication - Device Service · Advanced Authentication supports the certific ate-based PKCS#11 contact smart cards and USB tokens (crypto sticks). Device Service supports

Information Security Identification and authentication ...TDDD17/lectures/slides/tddd17-authenticatio… · Biometric systems Tokens Fumy, W. and Paeschke, M. Handbook of eID Security

Comparing Passwords, Tokens, and Biometrics for User ...rossarun/BiometricsTextBook/... · Comparing Passwords, Tokens, and Biometrics for User Authentication LAWRENCE O’GORMAN,

Cookies, Sessions, and Authentication Dr. Charles Severance

Authentication Tokens market for 2002 and 2003. Aladdin is the #1

Biometric Authentication Biometric Authentication: The ... · of tokens, passwords, and PINs. The reason: smartphones. According to comScore, as of January 2016, 198.5 million people

Enhance Security with Simple Two-Factor Authentication · In a typical two-factor authentication infrastructure, IT assigns users a physical fob that changes tokens on a regular basis

FortiToken Two Factor Authentication - Fortinetdocs.fortinet.com/uploaded/files/1429/FortiToken-2FA...Tokens that can be used to solve your two-factor authentication problem. Your

Best Practices: Authentication & Authorization Infrastructure€¢Tokens: in modern security standards are all about them. •Decoupling authentication / authorization (OIDC authentication

Game Contents - MyMiniFactory...3 jungle hexes 2 volcano hexes 1 river (gold) hex 92 colony tokens: - 24 discovery tokens (jungle) - 22 gold tokens - 22 ore tokens - 24 gem tokens

NSI Authentication and Authorization · client authentication, authentication through Identity Provider, local user accounts, access tokens, etc.). The uRA MUST determine the identity

4 Multi Factor Authentication Using Mobile Phoneswe07/Publications/Multi Factor... · Multi Factor Authentication Using Mobile Phones ... using mobile phones instead of tokens or

Hardware Security › content › dam › f-secure › en › ... · 2019-01-15 · integration of access control systems, authentication tokens, hardware security modules and in

A Methodology for Developing Authentication Assurance ... · Smart cards (smart identity tokens) are now being extensively deployed for identity verification for controlling access

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP

RSA SecurID Tokens - NAS Home · 2019-09-12 · RSA SecurID Tokens NASA uses RSA SecurID technology to provide secure authentication to its supercomputing resources. To log into the