Loopback Authentication

If you’ve been building Node.js applications for a while, you’ve likely heard of Loopback — it’s a very popular Node.js framework for building API services.

I’m a huge fan of Loopback, as I’ve found it a really quick and convenient way to build REST APIs quickly in the past.

With our brand new loopback-stormpath library, you can now use all of Stormpath’s amazing user management tools to secure your user data, easily manage your users via our clean web interface, and scale your Loopback APIs to infinityyyyy and beyond!

Loopback it has tons of really nice integrations:

  • It auto-generates Swagger 2.0 compliant API services from your data models. This means you can build an API REALLY fast with very little work.
  • Javascript client libraries for consuming the API, especially with Angular JS.
  • Excellent mobile SDKs so you can build nice Android and iOS apps that use your REST API as the backend.
  • Nice command line tools for generating data models quickly using a number of popular databases.
  • It has built-in monitoring and deployment tools to speed deployment.
  • And much more =)

The goal for loopback-stormpath is to extend Loopback with Stormpath’s user and API authentication and other features, so all Loopback developers can have robust authentication and user functionality in only a few minutes. This release is the first step.

Read more »

Java support for JWT (JSON Web Tokens) is in its infancy – the prevalent libraries can require customization around unresolved dependencies and pages of code to assemble a simple JWT.

We recently released an open-source library for JWTs in Java. JJWT aims to be the easiest to use and understand library for creating and verifying JSON Web Tokens (JWTs) on the JVM.

JJWT is a ‘clean room’ implementation based solely on the JWT, JWS, JWE and JWA RFC draft specifications. According to one user on stack overflow, its “Simple, easy and clean, and worked immediately.” This post will show you how to use it, so any java app can generate, encrypt and decrypt JWTs without much hassle.

What Are JWTs?

JWTs are an encoded representation of a JSON object. The JSON object consists of zero or more name/value pairs, where the names are strings and the values are arbitrary JSON values. JWT is useful to send such information in the clear (for example in an URL) while it can still be trusted to be unreadable (i.e. encrypted), unmodifiable (i.e. signed) and url-safe (i.e. Base64 encoded).

Want to learn more? You can check one of our previous posts and the JWT spec.

JWTs can have different usages: authentication mechanism, url-safe encoding, securely sharing private data, interoperability, data expiration, etc. Regardless of how you will use your JWT, the mechanisms to construct and verify it are the same. So, let’s see how we can very easily achieve that with the JSON Web Token for Java project

Read more »

Gas Mask Sketch

UPDATED April 2, 2015: This was an April Fools Joke. Read. Laugh. Learn. If you’re building web services, you should most definitely be using HTTPS.

As a security company, we frequently get questions here at Stormpath from developers regarding security best practices. One of the most common questions we get is:

Should I run my site over HTTPS?

Unfortunately, regardless of where you go on the internet, you’ll mostly ready the same advice: encrypt everything!, use SSL for all sites!, etc. The reality, of course, is that this is not usually good advice.

There are many circumstances where HTTP is better than HTTPS. HTTP is, in fact, a much better and more useful protocol than HTTPS, which is why we often recommend it to our customers. Here’s why…

Read more »

If you didn’t catch it, in the last article I explained how to know to build and deploy a real mobile app that uses OAuth2 authentication for your private API service.

In this article, I’m going to cover a tightly related topic: how to properly manage your OAuth2 API token lifecycle.

Because things like token expiration and revocation are so paramount to API security, I figured they deserved their own discussion here.

Token Expiration

One of the most common questions we get here at Stormpath, when talking about token authentication for mobile devices, is about token expiration.

Developers typically ask us this:

“This OAuth2 stuff with JSON Web Tokens sounds good, but how long should I allow my access tokens to exist before expiring them? I don’t want to force my users to re-authenticate every hour. That would suck.”

This is an excellent question. The answer is a bit tricky though. Here are some general rules:

Read more »

Mobile API consumption is a topic that comes up frequently on both Stack Overflow and the Stormpath support channel. It’s a problem that has already been solved, but requires a lot of prerequisite knowledge and sufficient understanding in order to implement properly.

This post will walk you through everything you need to know to properly secure a REST API for consumption on mobile devices, whether you’re building a mobile app that needs to access a REST API, or writing a REST API and planning to have developers write mobile apps that work with your API service.

My goal is to not only explain how to properly secure your REST API for mobile developers, but to also explain how the entire exchange of credentials works from start to finish, how to recover from security breaches, and much more.

Read more »

AngularJS is a framework for building front-end (browser) applications, also known as “Single Page Apps” (SPAs), and we think it’s superb!

AngularJS makes it very easy to build a complex, responsive application, particularly to put a SPA on top of your API service. And once you have an app up, you want your users to be able to log in.

In this tutorial we will:

  • Scaffold a basic AngularJS app With Yeoman, Bower and Grunt
  • Create a simple API backend using Node.js for a “Fullstack” project (meaning it has both a front-end and back-end, paired together).
  • Use Stormpath, a user management API, to manage authentication and other user management features in a new AngularJS project. Throughout this tutorial we reference the [Stormpath AngularJS SDK Docs][] and the complete Stormpath AngularJS Guide. Those resources will help you move beyond this tutorial and explore all the possibilities of our AngularJS SDK.
  • Set up common user routes and views for registration, login, and user profile data.

Here is a preview of what it will look like:

Registration Form

Login Form

User Profile View

Let’s get started!

Read more »

Stormpath has recently worked on token authentication features using JSON Web Tokens (JWT), and we have had many conversations about the security of these tokens and where to store them.

If you are curious about your options, this post is for you. We will cover the basics of JSON Web Tokens (JWT), cookies, HTML5 web storage (localStorage/sessionStorage), and basic information about cross-site scripting (XSS) and cross site request forgery (CSRF).

Let’s get started…

JSON Web Tokens (JWT): A Crash Course

The most implemented solutions for API authentication and authorization are the OAuth 2.0 and JWT specifications, which are fairly dense. Cliff’s Notes Time! Here’s what you need to know:

Read more »

One of the biggest development trends over the last few years is a move towards architectures based on API services. While it’s increasingly common for new applications to start fresh with a services-friendly framework and functionality offloaded to API services, it’s much less common to rebuild traditional applications in a service-oriented architecture. It’s harder, there’s much more risk, as well as legacy mayhem to contend with. We applaud people who do it, and particularly the audacious people who do it for the love of Java development.

Read more »

Stormpath Python Support

At Stormpath, we really love our Python users. Over the past year we’ve made:

In short, we’ve been working hard to not only improve our Python user experience, but also improve the overall quality and feel of our libraries and integrations.

Many the suggestions for improvements and bug fixes – as well as solutions – come from our community.

Read more »

A true Renaissance man, Pedro Baumann wears a number of professional hats: Web Developer, Linux SysAdmin, practicing Psychotherapist. But in his free time, the full stack developer plays in Flask.

“As a Flask developer, I’m always testing new technologies,” Pedro explained. “When I found out about Stormpath, I thought it was a great idea. In my personal projects, I had used OpenID login services, Facebook services, and sometimes built the user:passwords database myself, but I did not like it! I am not a security expert, nor a database guru, so Stormpath is the solution to offering a reliable user management system to our customers.“

Pedro tested Stormpath for a webapp to manage patients in his practice, and was impressed with the results. “I even skipped using a database at all and just added all the info I needed to the customData functionality Stormpath offers,” he said.

Read more »

Full User Management API - No Credit Card Required

Try It For Free