Skip to content

patricksrobertson/wheres_waldo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits

app

app

 
 

config

config

 
 

db

db

 
 

doc

doc

 
 

lib

lib

 
 

log

log

 
 

public

public

 
 

script

script

 
 

test

test

 
 

vendor

vendor

 
 

.gitignore

.gitignore

 
 

Gemfile

Gemfile

 
 

Gemfile.lock

Gemfile.lock

 
 

Procfile

Procfile

 
 

README.md

README.md

 
 

Rakefile

Rakefile

 
 

config.ru

config.ru

 
 

Repository files navigation

OAuth / CORS / Services Proof of Concept

This is where I want to collect the information about this epic journey that I've been undertaking on building SOA on the front and the back end. Hopefully we'll be able to make great use of this.

THE VISION

By having an OAuth2.0 Provider responsible for authentication and authorization we can build rich client™ applications that require little to no server side code to interact with a completly distributed SOA of all our data. We use the bearer token provided by OAuth to allow services to talk to one another and then take advantage of CORS to mashup all of our services into a coherent web application.

The Provider

https://github.com/patricksrobertson/icis_identity

There isn't a lot fancy going on here. We have a basic devise setup that then has a Doorkeeper backed OAuth setup. There are two APIs endpoints that are exposed: api/v1/me - This provides basic information for clients authenticating. apiv/v1/verify - This allows services to ask if a specific token/user id is legit. All services implement middleware that does this automagically.

The Client

https://github.com/patricksrobertson/omniauth-icis https://github.com/patricksrobertson/identity_client

I mention two libraries here. I wrote an Omniauth Client extension based upon the provider I wrote. Then I created a Rails Engine that we can mount inside applicaitons that want to authenticate with the ICIS Identity provider. It has a user object, stores things in the session, and has all the data a client app needs to inject to services later on.

The App

https://github.com/patricksrobertson/wheres_waldo

I chose to use Ember.js for the rich client because it's been getting a lot of buzz and we're considering future applications with it. This ended up being a pretty solid choice because modifying Ember to handle talking to a bunch of different services and passing custom headers in was pretty damn simple.

The Services

https://github.com/patricksrobertson/icis-patient-ex

https://github.com/patricksrobertson/icis-user-ex

These are Rails-API apps that provide JSON API endpoints to the Ember.js application. They authenticate with the OAuth provider with Rack Middleware.

The Middleware

https://github.com/patricksrobertson/rack-icis_identity_auth

This middleware snags the custom headers sent by the Ember.js application and then makes a request to the OAuth provider to confirm that they are in fact legit. I'm personally debating as to whether or not this should be Middleware or if it should be a Rails engine.

In reality, we'll need to persist some sort of 'Access Grant' that tells the middleware that we don't need to make a request to the OAuth provider. It should time out somewhat frequently, but keep us from DDoS'ing our own service. It will also need to paramaterize either a whitelist/blacklist of the API endpoints it is protecting. As it stands, it protects everything.

These things would be easier to accomplish for Rails/Rails-API based apps with an engine and before_filters. If we kept the architecture as Rack Middleware we are free to implement API endpoints in any RACK based framework.

About

Ember.js app for CORS stuff.

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages