SECURE AUTHENTICATION Emberconf 2017 WHO HERE FULLY UNDERSTANDS OAUTH 2.0?OAUTH 2.0 Is A MESS What is the difference betwaan the 2 workflows? When to use Authorization Code flow? | How to use Facebook OAuth with Ember Simple Auth? “A. _ have an Embers app using Ember Simple Auth. The API tums an ath token on sucomasi ‘gn in wth em and password fm ring fo 9d Facabook Login using the Javacrot SOK. © Upon sucess ign n win Facebook. | would ke io poste Facebook access token back 1 Our ‘APL sotnat he API can stow the access! a ‘ "YF hot sure how to connect this to Ember sin Closing a nasty security hole in OAuth {he normal emalpasswors signin. Whet¢ Posed on Ai 2014 crook eroeie ertcireea Many web apps that use OAuth suffer from a faily serious security flaw. ‘Generic OAuth client libraries cannot completely patch tis hole on their own, so you, the end-developer, are responsible for taking precautions. A small oversight when implementing the OAuth flow can ‘open you up to someone impersonating your users and stealing their stuff. 1fvou are usine OAuth. vou should definitely know about this and wuthorization Code" flow in QAuth2 when “Implicit” low works so well? Why is there an " ABOUT US — BALINT ERDI = Balint is a total Ember enthusiast ~ Regularly consults with large companies on building Ember apps , - Numerous screencasts and blog posts about Ember concepts ~ Organizes workshops on various Ember topics, including authentication ~ Gives another talk here at EmberConf! - More info on https://balinterdi.com/_ = Author of the popular book Rock and Roll with Embers ~ Kept up-to-date with the latest evolutions in Ember = Pinpoints the core concepts and explains them in detailABOUT US — PHILIPPE DE RYCK = My goal is to help you build secure web applications ~ Hosted and customized in-house training = Specialized security assessments of critical systems ~ Threat landscape analysis and prioritization of security efforts v = More information and resources on https://www.websec.be = My security expertise is broad, with a focus on Web Security - PhD in client-side web security, - Main author of the Primer on client-side web security Side Web Seay in WE WILL FOCUS ON AUTHENTICATION WITH OAUTH 2.0 = OAuth 2.0 is a very versatile framework, used for various purposes ~In this workshop, we explicitly limit the scope to authentication - The advice given here therefore applies to authentication scenarios = In the coming hours, we will dive deep into OAuth 2.0 = A couple of lectures explain important concepts and security properties ~The hands-on lab sessions put you in the driver's seat " If you have any questions, don’t wait to ask them! ~ During the lab sessions, there should be some time for broader questions as well