SlideShare a Scribd company logo
1 of 34
Download to read offline
JavaScript App Security: Auth and
Identity on the Client
Jonathan LeBlanc
Director of Developer Advocacy @ Box
Email: jleblanc@box.com
What are the issues on the client?
Front-end JavaScript code should be
treated as a completely insecure
environment when making privileged API
requests
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Agenda for Today
Browser and Data: Working with browser security
and identifying sensitive data.
API Communication Hurdles: Services and standards for
handling auth and identity.
Improving Token Security: How to work with tokens
linked to highly secure information.
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Part 1: Browser and Data
1 What data should be secured?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Application Keys (app identity)
Public / private keys, application access keys, or
any other app authentication keys.
Access Tokens (app access)
Generated access tokens, pre-authorized access
tokens, or any other string that grants privileged
access to resources.
Sensitive Information
Any sensitive non-anonymized, unencrypted,
information that can be attributed back to a user.
What are the issues on the client?
The browser security model restricts API
requests to the same domain,
subdomain, and port as the originating
request.
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
1 What problem do we need to solve?
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
1 The technology we’re looking at
CORS (Cross Origin Resource Sharing)
Allows a web app running at one
origin to access resources from
another origin by using additional
HTTP headers.
https://www.w3.org/TR/cors/
OPTIONS /cors HTTP/1.1
Origin: http://mysite.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Authorization
Host: api.service.com
Accept-Language: en-US
Connection: keep-alive
User-Agent: Mozilla/5.0...
Example CORS Preflight Request
Access-Control-Allow-Origin: http://mysite.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Authorization,
Content-Type
Content-Type: text/html; charset=utf-8
Example CORS Preflight Response
Part 2: API Communication Hurdles
2 Authentication versus Authorization
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Authentication
Services, specifications, or
processes that are used to
identify a user or an
application.
Authorization
Processes that are used to
grant an application permission
to make requests on behalf of
the user or application.
What are the issues on the client?
When making API requests, most
services require that you are authorized
to make those requests, either as the
application or the user.
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
2 What problem do we need to solve?
2 The technology we’re looking at
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
CORS
As previously discussed, this
will allow us to make HTTP
requests to the required API
service at another origin.
OAuth 2
OAuth 2 is the open
authorization system that may
be used to make authorized
requests to the API service.
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
2 How the standard OAuth 2 flow works
ClientApplication
OAuthService/ResourceOwner
1. Client app redirects user to log in / authorization
2. OAuth Service sends authorization grant
3. Client POST request to fetch access token
4. OAuth service validates and sends access token
5. Client makes requests for privileged resources
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
2 How the OAuth 2 implicit grant flow works
ClientApplication
OAuthService/ResourceOwner
1. Client app redirects user to log in / authorization
2. OAuth Service validates client app and responds
with access token in query string
3. Client makes requests for privileged resources
https://www.myapp.com/callback
#access_token=T9cE5asGnuyYCCqIZFoWjFHvNbvVqHjl
&refresh_token=J7rxTiWdOHbUnsUfGMinKBDLZWP9BgR
&expires_in=7200
&state=mystate
Example of a returned token is the OAuth 2 implicit grant flow
What are the issues on the client?
The standard 3-legged auth process
means that you have to log in to the API
service. How can I use my existing
identity system to use the service behind
the scenes?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
2 What problem do we need to solve?
2 The technology we’re looking at
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
OAuth 2
OAuth 2 is the open
authorization system that may
be used to make authenticated
requests to the API service.
JWT
JSON Web Tokens provides a
mechanism for including an
existing identify system to
bypass the OAuth 3rd leg.
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
2 Which part of the flow does JWT target?
ClientApplication
OAuthService/ResourceOwner
1. Client app redirects user to log in / authorization
2. OAuth Service validates client app and responds
with access token in querystring
3. Client makes requests for privileged resources
2 What are the components of a JWT request?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
X (Header): Token type and hashing algorithm
Y (Payload): User / verification content
Z (Signature): Header, payload, and secret
XXXXXXXX.YYYYYYYY.ZZZZZZZZ
2 The components of a JWT header
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
alg: The hashing algorithm to be used (RSA / HMAC).
typ: The token type, always JWT.
2 The components of a JWT payload
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
iss (issuer): The person that issued the token.
sub (subject) : The subject of the token.
aud (audience) : Audience the token is intended for.
exp (expiration time) : Expiration time of the token.
nbf (not before) : Starting time token is available.
iat (issued at) : When the token was issued.
jti (JWT ID) : Unique identifier for the token.
2 The components of a JWT Signature
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Encoded Data: Base64 encoded header + payload.
Secret: A private key.
const header = { alg: HMAC', typ: 'JWT' };
const payload = {
sub: '4355676', exp: '1481160294', jti: '841112’
};
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Sample JWT Request Segments
2 Securing JWT / OAuth 2 Communication
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Web App
Doesn’t hold
persistent token,
simply assumes a
token is available
Identity Provider
Service like Auth0 to
manage secure
identity / token
procurement from
the API service
Serverless Function
Serverless API
gateway function
with code to
procure tokens (e.g.
Webtask, AWS
Lambda)
API Service
Service that
provides endpoints
for data which the
web app would like
to consume
Part 3: Improving Token Security
What are the issues on the client?
When using an access token within
frontend code, you are exposing a
potentially long lived keys with extensive
data access permissions.
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
3 What problem do we need to solve?
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Token Downscoping
The ability to programmatically
generate a highly restricted child
token with the intent of
minimizing information exposure
in insecure code / environments.
3 The technology we’re looking at
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
3 Token downscoping process
Fully Scoped Token
Standard OAuth 2 token
that is fully scoped with
the application and user
permissions
Downscoped Token
New child token that is
tightly restricted for read
/ write access and
permissions.
Client-side Code
Downscoped token is
deployed to client-side
code, mobile, or UI to
make HTTP requests.
3
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Tightly scoped for single file: A token should only be scoped for the item
needed for processing, such as a file.
Short lived: Downscoped tokens should only live for their natural useful time
(e.g. 1 hour) and should not be refreshable.
Revocable: Downscoped tokens may be revoked before natural expiration
through the API.
Split read / write functions: To further scope token exposure, separate read /
write tokens can be issued.
Least privilege principle for downscoped tokens
What are the issues on the client?
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
3 Downscoped Token Components
New Scopes
• Preview item
• Download item
• Share item
New Access Rights
• Read access to file id
1234567
• Token revokes in 1hr
Fully Scoped, Long Lived Token
• Read / write all files / folders
• Manage all users
• Create webhooks
• Manage enterprise settings
client.exchangeToken(“item_preview, item_share, item_download”)
.then((tokenInfo) => {
// token available in tokenInfo.accessToken
}).catch((err) => {
console.error(err);
});
Downscoping a Token Example
Topic Recap
Browser and Data: How do we communicate from JS
and what data should we protect.
API Communication Hurdles: Tech to handle
authentication / authorization / key management.
Improving Token Security: Taking long lived tokens from
the API service and scoping down based on least
privilege principle.
Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
Thank You
https://speakerdeck.com/jcleblanc
Jonathan LeBlanc
Director of Developer Advocacy @ Box
Email: jleblanc@box.com

More Related Content

What's hot

Software job options
Software job optionsSoftware job options
Software job optionsMohit Kanwar
 
Introduction to Hibernate Framework
Introduction to Hibernate FrameworkIntroduction to Hibernate Framework
Introduction to Hibernate FrameworkMohit Kanwar
 
Publishing API documentation -- Workshop
Publishing API documentation -- WorkshopPublishing API documentation -- Workshop
Publishing API documentation -- WorkshopTom Johnson
 
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadOpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadTed Epstein
 
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...Corey Roth
 
Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Salesforce Partners
 
[API the Docs Paris 2018] Architecting DX
[API the Docs Paris 2018] Architecting DX[API the Docs Paris 2018] Architecting DX
[API the Docs Paris 2018] Architecting DXKathleen De Roo
 
Akshay_Paliwal_Lead_Developer
Akshay_Paliwal_Lead_DeveloperAkshay_Paliwal_Lead_Developer
Akshay_Paliwal_Lead_Developerakshaypaliwal23
 
DEV-1430 IBM Connections Integration
DEV-1430 IBM Connections IntegrationDEV-1430 IBM Connections Integration
DEV-1430 IBM Connections IntegrationJesse Gallagher
 
Pa 10 n1 louis decroo jr.
Pa 10 n1 louis decroo jr.Pa 10 n1 louis decroo jr.
Pa 10 n1 louis decroo jr.ldecroo
 
Microsoft Graph developer community call-March 2020
Microsoft Graph developer community call-March 2020Microsoft Graph developer community call-March 2020
Microsoft Graph developer community call-March 2020Microsoft 365 Developer
 
Yii PHP MVC Framework presentation silicongulf.com
Yii PHP MVC Framework presentation silicongulf.comYii PHP MVC Framework presentation silicongulf.com
Yii PHP MVC Framework presentation silicongulf.comChristopher Cubos
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniterschwebbie
 
Dev ops, from theory to practice, by vahid rahimian
Dev ops, from theory to practice, by vahid rahimianDev ops, from theory to practice, by vahid rahimian
Dev ops, from theory to practice, by vahid rahimianVahid Rahimian
 
Inthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePointInthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePointInthiyaz Pathan
 
IO State In Distributed API Architecture
IO State In Distributed API ArchitectureIO State In Distributed API Architecture
IO State In Distributed API ArchitectureOwen Rubel
 
Benefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkBenefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkToby Beresford
 

What's hot (20)

Software job options
Software job optionsSoftware job options
Software job options
 
Introduction to Hibernate Framework
Introduction to Hibernate FrameworkIntroduction to Hibernate Framework
Introduction to Hibernate Framework
 
Publishing API documentation -- Workshop
Publishing API documentation -- WorkshopPublishing API documentation -- Workshop
Publishing API documentation -- Workshop
 
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road AheadOpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
OpenAPI v.Next - Events, Alternative Schemas & the Road Ahead
 
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...
What you need to know about Search in SharePoint 2013 Preview - DFW SharePoin...
 
Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)Design Patterns Every ISV Needs to Know (October 15, 2014)
Design Patterns Every ISV Needs to Know (October 15, 2014)
 
[API the Docs Paris 2018] Architecting DX
[API the Docs Paris 2018] Architecting DX[API the Docs Paris 2018] Architecting DX
[API the Docs Paris 2018] Architecting DX
 
Akshay_Paliwal_Lead_Developer
Akshay_Paliwal_Lead_DeveloperAkshay_Paliwal_Lead_Developer
Akshay_Paliwal_Lead_Developer
 
DEV-1467 - Darwino
DEV-1467 - DarwinoDEV-1467 - Darwino
DEV-1467 - Darwino
 
DEV-1430 IBM Connections Integration
DEV-1430 IBM Connections IntegrationDEV-1430 IBM Connections Integration
DEV-1430 IBM Connections Integration
 
Pa 10 n1 louis decroo jr.
Pa 10 n1 louis decroo jr.Pa 10 n1 louis decroo jr.
Pa 10 n1 louis decroo jr.
 
Microsoft Graph developer community call-March 2020
Microsoft Graph developer community call-March 2020Microsoft Graph developer community call-March 2020
Microsoft Graph developer community call-March 2020
 
Yii PHP MVC Framework presentation silicongulf.com
Yii PHP MVC Framework presentation silicongulf.comYii PHP MVC Framework presentation silicongulf.com
Yii PHP MVC Framework presentation silicongulf.com
 
Introduction To CodeIgniter
Introduction To CodeIgniterIntroduction To CodeIgniter
Introduction To CodeIgniter
 
Dev ops, from theory to practice, by vahid rahimian
Dev ops, from theory to practice, by vahid rahimianDev ops, from theory to practice, by vahid rahimian
Dev ops, from theory to practice, by vahid rahimian
 
Inthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePointInthiyaz-4.6Years-SharePoint
Inthiyaz-4.6Years-SharePoint
 
IO State In Distributed API Architecture
IO State In Distributed API ArchitectureIO State In Distributed API Architecture
IO State In Distributed API Architecture
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
Yii php framework_honey
Yii php framework_honeyYii php framework_honey
Yii php framework_honey
 
Benefits of the CodeIgniter Framework
Benefits of the CodeIgniter FrameworkBenefits of the CodeIgniter Framework
Benefits of the CodeIgniter Framework
 

Similar to JavaScript App Security: Auth and Identity on the Client

Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with BoxJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessJonathan LeBlanc
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...PROIDEA
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfJorge Alvarez
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsKasun Dharmadasa
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMhackingtrialpay
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
API_Testing_with_Postman
API_Testing_with_PostmanAPI_Testing_with_Postman
API_Testing_with_PostmanMithilesh Singh
 

Similar to JavaScript App Security: Auth and Identity on the Client (20)

Best Practices for Application Development with Box
Best Practices for Application Development with BoxBest Practices for Application Development with Box
Best Practices for Application Development with Box
 
Better Data with Machine Learning and Serverless
Better Data with Machine Learning and ServerlessBetter Data with Machine Learning and Serverless
Better Data with Machine Learning and Serverless
 
Securing API data models
Securing API data modelsSecuring API data models
Securing API data models
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connect
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Api security
Api security Api security
Api security
 
sudheer_resume
sudheer_resumesudheer_resume
sudheer_resume
 
Building an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdfBuilding an Effective Architecture for Identity and Access Management.pdf
Building an Effective Architecture for Identity and Access Management.pdf
 
Oauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client ApplicationsOauth 2.0 Security Considerations for Client Applications
Oauth 2.0 Security Considerations for Client Applications
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 
TrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACMTrialPay Security Tech Talk at Stanford ACM
TrialPay Security Tech Talk at Stanford ACM
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Developing apps using Perl
Developing apps using PerlDeveloping apps using Perl
Developing apps using Perl
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
API_Testing_with_Postman
API_Testing_with_PostmanAPI_Testing_with_Postman
API_Testing_with_Postman
 

More from Jonathan LeBlanc

Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security PracticesJonathan LeBlanc
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI ElementsJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyJonathan LeBlanc
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data SecurityJonathan LeBlanc
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data SecurityJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaJonathan LeBlanc
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityJonathan LeBlanc
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsJonathan LeBlanc
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesJonathan LeBlanc
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and TrendsJonathan LeBlanc
 

More from Jonathan LeBlanc (20)

Box Platform Overview
Box Platform OverviewBox Platform Overview
Box Platform Overview
 
Modern Cloud Data Security Practices
Modern Cloud Data Security PracticesModern Cloud Data Security Practices
Modern Cloud Data Security Practices
 
Box Authentication Types
Box Authentication TypesBox Authentication Types
Box Authentication Types
 
Understanding Box UI Elements
Understanding Box UI ElementsUnderstanding Box UI Elements
Understanding Box UI Elements
 
Understanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scopingUnderstanding Box applications, tokens, and scoping
Understanding Box applications, tokens, and scoping
 
The Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments GloballyThe Future of Online Money: Creating Secure Payments Globally
The Future of Online Money: Creating Secure Payments Globally
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
Creating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from ScratchCreating an In-Aisle Purchasing System from Scratch
Creating an In-Aisle Purchasing System from Scratch
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Node.js Authentication and Data Security
Node.js Authentication and Data SecurityNode.js Authentication and Data Security
Node.js Authentication and Data Security
 
PHP Identity and Data Security
PHP Identity and Data SecurityPHP Identity and Data Security
PHP Identity and Data Security
 
Secure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication MediaSecure Payments Over Mixed Communication Media
Secure Payments Over Mixed Communication Media
 
Protecting the Future of Mobile Payments
Protecting the Future of Mobile PaymentsProtecting the Future of Mobile Payments
Protecting the Future of Mobile Payments
 
Future of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable SecurityFuture of Identity, Data, and Wearable Security
Future of Identity, Data, and Wearable Security
 
Kill All Passwords
Kill All PasswordsKill All Passwords
Kill All Passwords
 
BattleHack Los Angeles
BattleHack Los Angeles BattleHack Los Angeles
BattleHack Los Angeles
 
Building a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with BeaconsBuilding a Mobile Location Aware System with Beacons
Building a Mobile Location Aware System with Beacons
 
Identity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & WearablesIdentity in the Future of Embeddables & Wearables
Identity in the Future of Embeddables & Wearables
 
Internet Security and Trends
Internet Security and TrendsInternet Security and Trends
Internet Security and Trends
 

Recently uploaded

Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UbiTrack UK
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdfPedro Manuel
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxUdaiappa Ramachandran
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URLRuncy Oommen
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Adtran
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 

Recently uploaded (20)

Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
UWB Technology for Enhanced Indoor and Outdoor Positioning in Physiological M...
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Nanopower In Semiconductor Industry.pdf
Nanopower  In Semiconductor Industry.pdfNanopower  In Semiconductor Industry.pdf
Nanopower In Semiconductor Industry.pdf
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Building AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptxBuilding AI-Driven Apps Using Semantic Kernel.pptx
Building AI-Driven Apps Using Semantic Kernel.pptx
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
Designing A Time bound resource download URL
Designing A Time bound resource download URLDesigning A Time bound resource download URL
Designing A Time bound resource download URL
 
Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™Meet the new FSP 3000 M-Flex800™
Meet the new FSP 3000 M-Flex800™
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 

JavaScript App Security: Auth and Identity on the Client

  • 1. JavaScript App Security: Auth and Identity on the Client Jonathan LeBlanc Director of Developer Advocacy @ Box Email: jleblanc@box.com
  • 2. What are the issues on the client? Front-end JavaScript code should be treated as a completely insecure environment when making privileged API requests Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
  • 3. Agenda for Today Browser and Data: Working with browser security and identifying sensitive data. API Communication Hurdles: Services and standards for handling auth and identity. Improving Token Security: How to work with tokens linked to highly secure information. Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
  • 4. Part 1: Browser and Data
  • 5. 1 What data should be secured? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Application Keys (app identity) Public / private keys, application access keys, or any other app authentication keys. Access Tokens (app access) Generated access tokens, pre-authorized access tokens, or any other string that grants privileged access to resources. Sensitive Information Any sensitive non-anonymized, unencrypted, information that can be attributed back to a user.
  • 6. What are the issues on the client? The browser security model restricts API requests to the same domain, subdomain, and port as the originating request. Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 1 What problem do we need to solve?
  • 7. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 1 The technology we’re looking at CORS (Cross Origin Resource Sharing) Allows a web app running at one origin to access resources from another origin by using additional HTTP headers. https://www.w3.org/TR/cors/
  • 8. OPTIONS /cors HTTP/1.1 Origin: http://mysite.com Access-Control-Request-Method: POST Access-Control-Request-Headers: Authorization Host: api.service.com Accept-Language: en-US Connection: keep-alive User-Agent: Mozilla/5.0... Example CORS Preflight Request
  • 9. Access-Control-Allow-Origin: http://mysite.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Authorization, Content-Type Content-Type: text/html; charset=utf-8 Example CORS Preflight Response
  • 10. Part 2: API Communication Hurdles
  • 11. 2 Authentication versus Authorization Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Authentication Services, specifications, or processes that are used to identify a user or an application. Authorization Processes that are used to grant an application permission to make requests on behalf of the user or application.
  • 12. What are the issues on the client? When making API requests, most services require that you are authorized to make those requests, either as the application or the user. Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 2 What problem do we need to solve?
  • 13. 2 The technology we’re looking at Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com CORS As previously discussed, this will allow us to make HTTP requests to the required API service at another origin. OAuth 2 OAuth 2 is the open authorization system that may be used to make authorized requests to the API service.
  • 14. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 2 How the standard OAuth 2 flow works ClientApplication OAuthService/ResourceOwner 1. Client app redirects user to log in / authorization 2. OAuth Service sends authorization grant 3. Client POST request to fetch access token 4. OAuth service validates and sends access token 5. Client makes requests for privileged resources
  • 15. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 2 How the OAuth 2 implicit grant flow works ClientApplication OAuthService/ResourceOwner 1. Client app redirects user to log in / authorization 2. OAuth Service validates client app and responds with access token in query string 3. Client makes requests for privileged resources
  • 17. What are the issues on the client? The standard 3-legged auth process means that you have to log in to the API service. How can I use my existing identity system to use the service behind the scenes? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 2 What problem do we need to solve?
  • 18. 2 The technology we’re looking at Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com OAuth 2 OAuth 2 is the open authorization system that may be used to make authenticated requests to the API service. JWT JSON Web Tokens provides a mechanism for including an existing identify system to bypass the OAuth 3rd leg.
  • 19. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 2 Which part of the flow does JWT target? ClientApplication OAuthService/ResourceOwner 1. Client app redirects user to log in / authorization 2. OAuth Service validates client app and responds with access token in querystring 3. Client makes requests for privileged resources
  • 20. 2 What are the components of a JWT request? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com X (Header): Token type and hashing algorithm Y (Payload): User / verification content Z (Signature): Header, payload, and secret XXXXXXXX.YYYYYYYY.ZZZZZZZZ
  • 21. 2 The components of a JWT header Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com alg: The hashing algorithm to be used (RSA / HMAC). typ: The token type, always JWT.
  • 22. 2 The components of a JWT payload Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com iss (issuer): The person that issued the token. sub (subject) : The subject of the token. aud (audience) : Audience the token is intended for. exp (expiration time) : Expiration time of the token. nbf (not before) : Starting time token is available. iat (issued at) : When the token was issued. jti (JWT ID) : Unique identifier for the token.
  • 23. 2 The components of a JWT Signature Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Encoded Data: Base64 encoded header + payload. Secret: A private key.
  • 24. const header = { alg: HMAC', typ: 'JWT' }; const payload = { sub: '4355676', exp: '1481160294', jti: '841112’ }; HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret) Sample JWT Request Segments
  • 25. 2 Securing JWT / OAuth 2 Communication Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Web App Doesn’t hold persistent token, simply assumes a token is available Identity Provider Service like Auth0 to manage secure identity / token procurement from the API service Serverless Function Serverless API gateway function with code to procure tokens (e.g. Webtask, AWS Lambda) API Service Service that provides endpoints for data which the web app would like to consume
  • 26. Part 3: Improving Token Security
  • 27. What are the issues on the client? When using an access token within frontend code, you are exposing a potentially long lived keys with extensive data access permissions. Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 3 What problem do we need to solve?
  • 28. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Token Downscoping The ability to programmatically generate a highly restricted child token with the intent of minimizing information exposure in insecure code / environments. 3 The technology we’re looking at
  • 29. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 3 Token downscoping process Fully Scoped Token Standard OAuth 2 token that is fully scoped with the application and user permissions Downscoped Token New child token that is tightly restricted for read / write access and permissions. Client-side Code Downscoped token is deployed to client-side code, mobile, or UI to make HTTP requests.
  • 30. 3 Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com Tightly scoped for single file: A token should only be scoped for the item needed for processing, such as a file. Short lived: Downscoped tokens should only live for their natural useful time (e.g. 1 hour) and should not be refreshable. Revocable: Downscoped tokens may be revoked before natural expiration through the API. Split read / write functions: To further scope token exposure, separate read / write tokens can be issued. Least privilege principle for downscoped tokens
  • 31. What are the issues on the client? Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com 3 Downscoped Token Components New Scopes • Preview item • Download item • Share item New Access Rights • Read access to file id 1234567 • Token revokes in 1hr Fully Scoped, Long Lived Token • Read / write all files / folders • Manage all users • Create webhooks • Manage enterprise settings
  • 32. client.exchangeToken(“item_preview, item_share, item_download”) .then((tokenInfo) => { // token available in tokenInfo.accessToken }).catch((err) => { console.error(err); }); Downscoping a Token Example
  • 33. Topic Recap Browser and Data: How do we communicate from JS and what data should we protect. API Communication Hurdles: Tech to handle authentication / authorization / key management. Improving Token Security: Taking long lived tokens from the API service and scoping down based on least privilege principle. Jonathan LeBlanc • Director of Developer Advocacy @ Box • Twitter: @jcleblanc • Email: jleblanc@box.com
  • 34. Thank You https://speakerdeck.com/jcleblanc Jonathan LeBlanc Director of Developer Advocacy @ Box Email: jleblanc@box.com