If you didn’t catch it, in the last article I explained how to know to build and deploy a real mobile app that uses OAuth2 authentication for your private API service.

In this article, I’m going to cover a tightly related topic: how to properly manage your OAuth2 API token lifecycle.

Because things like token expiration and revocation are so paramount to API security, I figured they deserved their own discussion here.

Token Expiration

One of the most common questions we get here at Stormpath, when talking about token authentication for mobile devices, is about token expiration.

Developers typically ask us this:

“This OAuth2 stuff with JSON Web Tokens sounds good, but how long should I allow my access tokens to exist before expiring them? I don’t want to force my users to re-authenticate every hour. That would suck.”

This is an excellent question. The answer is a bit tricky though. Here are some general rules:

Read more »

Mobile API consumption is a topic that comes up frequently on both Stack Overflow and the Stormpath support channel. It’s a problem that has already been solved, but requires a lot of prerequisite knowledge and sufficient understanding in order to implement properly.

This post will walk you through everything you need to know to properly secure a REST API for consumption on mobile devices, whether you’re building a mobile app that needs to access a REST API, or writing a REST API and planning to have developers write mobile apps that work with your API service.

My goal is to not only explain how to properly secure your REST API for mobile developers, but to also explain how the entire exchange of credentials works from start to finish, how to recover from security breaches, and much more.

Read more »

AngularJS is a framework for building front-end (browser) applications, also known as “Single Page Apps” (SPAs), and we think it’s superb!

AngularJS makes it very easy to build a complex, responsive application, particularly to put a SPA on top of your API service. And once you have an app up, you want your users to be able to log in.

In this tutorial we will:

  • Scaffold a basic AngularJS app With Yeoman, Bower and Grunt
  • Create a simple API backend using Node.js for a “Fullstack” project (meaning it has both a front-end and back-end, paired together).
  • Use Stormpath, a user management API, to manage authentication and other user management features in a new AngularJS project. Throughout this tutorial we reference the [Stormpath AngularJS SDK Docs][] and the complete Stormpath AngularJS Guide. Those resources will help you move beyond this tutorial and explore all the possibilities of our AngularJS SDK.
  • Set up common user routes and views for registration, login, and user profile data.

Here is a preview of what it will look like:

Registration Form

Login Form

User Profile View

Let’s get started!

Read more »

Stormpath has recently worked on token authentication features using JSON Web Tokens (JWT), and we have had many conversations about the security of these tokens and where to store them.

If you are curious about your options, this post is for you. We will cover the basics of JSON Web Tokens (JWT), cookies, HTML5 web storage (localStorage/sessionStorage), and basic information about cross-site scripting (XSS) and cross site request forgery (CSRF).

Let’s get started…

JSON Web Tokens (JWT): A Crash Course

The most implemented solutions for API authentication and authorization are the OAuth 2.0 and JWT specifications, which are fairly dense. Cliff’s Notes Time! Here’s what you need to know:

Read more »

One of the biggest development trends over the last few years is a move towards architectures based on API services. While it’s increasingly common for new applications to start fresh with a services-friendly framework and functionality offloaded to API services, it’s much less common to rebuild traditional applications in a service-oriented architecture. It’s harder, there’s much more risk, as well as legacy mayhem to contend with. We applaud people who do it, and particularly the audacious people who do it for the love of Java development.

Read more »

Stormpath Python Support

At Stormpath, we really love our Python users. Over the past year we’ve made:

In short, we’ve been working hard to not only improve our Python user experience, but also improve the overall quality and feel of our libraries and integrations.

Many the suggestions for improvements and bug fixes – as well as solutions – come from our community.

Read more »

A true Renaissance man, Pedro Baumann wears a number of professional hats: Web Developer, Linux SysAdmin, practicing Psychotherapist. But in his free time, the full stack developer plays in Flask.

“As a Flask developer, I’m always testing new technologies,” Pedro explained. “When I found out about Stormpath, I thought it was a great idea. In my personal projects, I had used OpenID login services, Facebook services, and sometimes built the user:passwords database myself, but I did not like it! I am not a security expert, nor a database guru, so Stormpath is the solution to offering a reliable user management system to our customers.“

Pedro tested Stormpath for a webapp to manage patients in his practice, and was impressed with the results. “I even skipped using a database at all and just added all the info I needed to the customData functionality Stormpath offers,” he said.

Read more »

Every company needs engaged employees who live the brand. These true believers are more satisfied and productive, drive great customer experiences, and help reduce employee stress and turnover. In other words, they directly impact the bottom line.

Brand Integrity is an engagement company who is disrupting business as usual with the new rules of engagement. With their sustainable solutions, they are helping their clients in various industries to synchronize their brand’s values, culture, and reputation to create a reputable and compelling brand that employees, customers, partners, and the market understand and trust.

That boost starts with an advanced web application platform, backed by Stormpath’s API for authentication and User management.

Brand Integrity Potential Point Diagram

Read more »

Great Engineering Culture

If you want to have a successful technology startup, you need more than just a great company culture, you specifically need a great engineering culture. A great culture gives you a tremendous advantage in recruiting top people, retaining those people, and subtly guiding their behavior to drive the business.

Contrary to the hype, culture is not about ping pong tables, softball leagues, and free lunches. Instead, culture is the set of implicit rules, guidelines, and values that a group of people guide themselves by. It’s the peer pressure that shapes behavior in powerful ways. And simply putting a bunch of core values on a wall somewhere isn’t enough. Culture is a living thing that requires ongoing care and feeding.

And while every culture should be different based on the team’s strategy, for engineering there are some common elements found in the very best teams.

Read more »

If you’re confused about token-based authentication: this post is for you. We will cover access tokens, how they differ from session cookies, and why they make sense for single page applications (SPAs). This article is primarily written for those with an SPA backed by a REST API.

We’ll pay special attention to best practices for handling JWTs and security: successful token authentication system requires you to know the security details and possible tradeoffs.

Thankfully, we’ve wrapped up all the best-practice decisions into some libraries you can use: Stormpath Angularjs SDK to solve your Angularjs authentication challenges, and it’s back-end pair, the Stormpath Express SDK.

Read more »

Full User Management API - No Credit Card Required

Try It For Free