adding authentication to angular appsapi security? sessions?cookies? tokens?! authentication basics...

@KimMaida

ADDING AUTHENTICATION TO ANGULAR APPS

@KimMaida

Hello! I’m Kim Maida

Manager, Community & Technical Content at Auth0 Angular Google Developer Expert

@KimMaida

“How do I secure my Angular app?”

@KimMaida

“How can I properly add authentication to my app to protect my data from unauthorized access?”

@KimMaida

API security? Sessions? Cookies? Tokens?

@KimMaida

API security? Sessions? Cookies? Tokens?

AUTHENTICATION BASICS FOR WEB APPS

@KimMaida

Traditional web app authentication

@KimMaida

Authentication with Cookie-based Sessions

@KimMaida

</>HTML + Data

@KimMaida

302HTML Error

@KimMaida

302HTML Error

@KimMaida

</>HTML + Data

@KimMaida

What about Single Page Apps?

@KimMaida

Single Page Application

@KimMaida

{;}JSON

@KimMaida

Why not use cookie-based auth?

@KimMaida

Two Issues

@KimMaida

Issue 1: APIs on Other Domains

my-domain.com

other-domain.com

@KimMaida

You (maybe): “No problem, everything is on one domain!”

@KimMaida

One more shortcoming

@KimMaida

Issue 2: Authentication via Redirects & Ajax Calls

App Using Cookie-based Sessions

@KimMaida

Issue 2: Authentication via Redirects & Ajax Calls

Single Page ApplicationApp Using Cookie-based Sessions

@KimMaida

Address these issues with token-based auth

@KimMaida

Don’t Store Sensitive Data in Local Storage

@KimMaida

Local Storage Security Concerns

! XSS can be used to steal all data in local storage

! XSS can be used to load malicious data into local storage

! Local Storage is shared within an origin

https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage

@KimMaida

Use Tokens to Call APIs

{;}JSON Data

@KimMaida

Use Tokens to Call APIs

my-domain.com

other-domain.com

@KimMaida

Solves the 2 Issues

1. APIs on other domains

2. Authentication via Redirects & Ajax Calls✅

HOW DOES ANGULAR HELP?

@KimMaida

Angular Authentication TODO List

Manage authentication events

Attach token to API requests

Restrict access to certain routes

@KimMaida

Attach token to API requests

@KimMaida

Send token with API requests

@KimMaida

TODO: Manage authentication events

@KimMaida

Create streams from callbacks

@KimMaida

Example: Bind Callbacks with RxJS

parseHash$ = bindNodeCallback( this.AuthSDK.parseHash .bind(this.Auth) );

parseHash$().subscribe( authData => this.setAuth(authData) );

@KimMaida

Create streams of auth data

@KimMaida

Create Auth Streams with RxJS

user$ = new BehaviorSubject<any>(null);

setAuth(authResult) { this.user$ .next(authResult.idTokenPayload); … }

@KimMaida

Use Auth Streams

@KimMaida

…and more

@KimMaida

TODO: Send token with API requests

@KimMaida

HTTP Interceptors

@KimMaida

HTTP Interceptors

Interceptor Service{Authorization:`Bearer `}

@KimMaida

App Routing NgModule

@NgModule({ ...,

providers: [

AuthService,

provide: HTTP_INTERCEPTORS,

useClass: TokenInterceptor,

multi: true

], ...

@KimMaida

@NgModule({ ...,

providers: [

AuthService,

multi: true

], ...

@KimMaida

@NgModule({ ...,

providers: [

AuthService,

multi: true

], ...

@KimMaida

@NgModule({ ...,

providers: [

AuthService,

multi: true

], ...

@KimMaida

TokenInterceptor Service

@Injectable()

export class TokenInterceptor implements HttpInterceptor {

constructor(private auth: AuthService) { }

intercept(req: HttpRequest<any>, next: HttpHandler) {

const tokenReq = req.clone({

setHeaders: {Authorization: `Bearer ${this.auth.token}`}

return next.handle(tokenReq);

@KimMaida

@Injectable()

@KimMaida

@Injectable()

@KimMaida

@Injectable()

@KimMaida

Conditional Interceptors

@KimMaida

Conditional Logic in Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { if (req.url.indexOf('private') > -1) { const tokenReq = req.clone({ setHeaders: {Authorization: `Bearer ${this.auth.token}`}

return next.handle(tokenReq); } return next.handle(req);

@KimMaida

Asynchronous Interceptors

@KimMaida

Async Interceptors

intercept(req: HttpRequest<any>, next: HttpHandler) { return this.auth.token$.pipe( mergeMap(token => { if (token) { const tokenReq = req.clone({ setHeaders: {Authorization:`Bearer ${token}`} }); return next.handle(tokenReq); } }) );} }

@KimMaida

Async Interceptors

@KimMaida

Async Interceptors

@KimMaida

Async Interceptors

@KimMaida

TODO: Restrict access to certain routes

@KimMaida

Route Guards

@KimMaida

Guard Interfaces - CanActivate

@KimMaida

Guard Interfaces - CanActivateChild

@KimMaida

Guard Interfaces - CanLoad

@KimMaida

Route Guards - CanActivate App Routes

import { AuthGuard } from './auth.guard';

export const ROUTES: Routes = [

path: 'profile',

component: ProfileComponent,

canActivate: [ AuthGuard ]

@KimMaida

path: 'profile',

@KimMaida

path: 'profile',

@KimMaida

Route Guards - CanActivate Service

@Injectable()

export class AuthGuard implements CanActivate {

constructor(private auth: AuthService, public router: Router) {}

canActivate(): boolean {

if (!this.auth.isAuthenticated()) {

this.router.navigate(['login']);

return false;

return true;

@KimMaida

@Injectable()

return false;

return true;

@KimMaida

@Injectable()

return false;

return true;

@KimMaida

@Injectable()

return false;

return true;

@KimMaida

Guarded Lazy Loading

@KimMaida

Lazy Loading with CanLoad Guard

path: 'admin',

loadChildren: './admin/admin.module#AdminModule',

canLoad: [ RoleGuard ],

data: { expectedRole: 'admin' }

@KimMaida

path: 'admin',

@KimMaida

path: 'admin',

@KimMaida

path: 'admin',

@KimMaida

Route Guards - CanLoad

@Injectable()

export class RoleGuard implements CanLoad {

constructor(private auth: AuthService) {}

canLoad(route: Route): boolean {

if (!this.auth.isAuthenticated() ||

!this.auth.hasRole(route.data.expectedRole)) {

this.auth.login();

return false;

@KimMaida

@Injectable()

this.auth.login();

return false;

@KimMaida

@Injectable()

this.auth.login();

return false;

@KimMaida

Adding Authentication to Angular Apps

bit.ly/angularmix-adding-auth

Thank you!

adding authentication to angular appsapi security? sessions?cookies? tokens?! authentication basics...

Documents

game contents - myminifactory...3 jungle hexes 2 volcano...

random bits practical factorization of widely used rsa...

authentication (/api/auth) · 2018-10-29 · api tokens api...

blackberry 2fa - overview...otp tokens blackberry uem...

half-baked cookies: client authentication on the modern...

secure element access from a web browser w3c workshop on...

u2f authentication tokens - cryptsoft · fido compliant...

comparing passwords, tokens, and biometrics for user...

safenet authentication client...

a methodology for developing authentication assurance...

rsa authentication manager 8 - amazon s3...rsa...

locally centralized, globally distributed authentication...

rsa securid tokens - nas home · 2019-09-12 · rsa securid...

20181021 - cookies vs tokens - a paradoxial choice (appsec...

making graphic-based authentication secure against smudge...

multifactor - csaday 2015cd-docdb.fnal.gov › cgi-bin ›...

enhance security with simple two-factor authentication ·...

information security cs 526 - purdue university...

how to download, install, and run...

hard tokens vs. soft tokens - home | netiq tokens vs. soft...