Authorization architecture for ember front-end + rails back-end

I am in the planning stages for my application, and while I’ve done ruby and JS programming before, I’ve never scaffolded a full app stack myself before, so please bear with me. I’ve done quite a bit of research, and I’m finding that my use case doesn’t quite line up with any of the numerous examples I’ve found to date. I’d like to get through the stage of laying the groundwork so I can start putting in some code and really play with things.

Assumptions

I intend for a rails-backed JSON API, nearly certainly using rails-api to minimize the middleware (as termed by rails) involved.

The frontend will be an ember.js app, and should require authorization before the app gets served. This is a bit of security-through-obscurity, but I’d prefer to not serve up the whole admin app to just anyone; I’d prefer to only serve it to people who can first produce valid login credentials.

I am looking very closely at JWT, as it’s implemented for many platforms, and there is the potential for future frontends implemented as native iOS/android apps.

I need to allow users to log-in via either static html+js or rails views.

Once a user is authenticated, they should be redirected to the ember app, and the authentication token needs to be passed into the ember app, where it will be used to authorize access to the back-end API.

While the user is inside the ember app, timeout should be fairly short (~ 5 minutes guesstimate), but authorization should be refreshed while the user is active (hitting the back-end API is probably? sufficient indicator of activity)

If the authorization times out, the user should be re-directed to login. There will be no “remember-me” functionality; login is required.

I am expecting to serve all content across SSL, using nginx + passenger as the production server.

I am currently assuming two rails apps back-end API app. Requires authorization- use modified devise?
front-end app - use modified devise? + ember-cli-rails to serve the ember app, and devise views for login, password-reset etc?

I am assuming that the two rails apps need to share a database, so that both have access to the authentication data.

Questions:

Should I be using a modified ember-simple-auth within the ember app, or simply use the jsonwebtoken npm?

Should I use rails to serve the ember app via ember-cli-rails in order to enforce authorization, or is there a different/better way?

How should the JWT token get initially passed into the ember app, so the ember app can subsequently use it for access to the back-end API?

Should the back-end API refresh tokens with all API requests, or should there be a timed function in the ember app which uses a separate API endpoint to refresh its token?

http://madhatted.com/2014/6/17/authentication-for-single-page-apps

This url might not answer your questions but it’s a nice read if you are designing an auth workflow in Ember. Especially it has an excellent description of an authentication workflow for single page apps.

I believe thd answer lies on implementing Oauth2 with JWT as token and simple auth.

Some solid design points made in that article, but unfortunately, it doesn’t cover my two biggest questions; passing the JWT into the ember app, and best-practices for refreshing the JWT.

Looking at Oauth2, it makes some sense, but my gut is telling me that it’s overkill for what I want to do.

At this point, I’m thinking of storing the JWT to localstorage with some simple javascript on the login page, then creating a function in ember that runs during initialization to retreive and delete the JWT from the localstorage- so that would allow me to pass the JWT into the ember app.

Now I just need to figure out the best approach to refreshing the JWTs, unless someone shows up and tells me that I’ve got some major flaws in my approach.

Have you explored simple auth? It does all that you ask namely store the JWT Token and send it with every request. Why do you think OAuth2 is overkill? Oauth2 have password grant which is the simplest token based authentication I have ever known

I assume by simple auth, you mean the “ember-simple-auth” package, and yes, it’s on my list of packages I suspect will be part of my solution. I’m also looking at the “ember-simple-auth-token” package, which extends ember-simple-auth to work with JWT tokens. The only question remaining about it is whether I really need it, or can simply roll my own code to perform the ember-side bits I need; storing a JWT, refreshing it, and presenting the current JWT when accessing the back-end API.

When I looked at oauth2, a large part of it appeared to be centered around granting specific access permissions to resources for a foreign system. (e.g. granting a foreign system the permission to read your facebook friends list, or similar things). There’s also the fact that two of the original designers of oath have disavowed oath2, noting that it has been turned into a system designed to meet all the varied requirements for big web companies (e.g. google, facebook) at the expense of simplicity.

JWT on the other hand, looks like it can meet all my requirements and design goals rather simply, with the single caveat that it doesn’t really have a “best practices” for token refresh. It looks like I could generate either oath2 or JWT tokens and accomplish what I would like, but the intent for my token use is very definitely short expiration. If your token times out, log in again to get a new one, and JWT seems to be a bit more in line with that.

Well its finally up to you to choose which way you will go. As for me I use ESA+Oauth2 Where by the token generated is JWT (as opposed to normal token). It works fine and I don’t think its overkill.

As for Oauth authors avowing OA2 I read it long ago and it was to me a more philosophical difference than a reality. Oauth2 is not Oauth and is better in many ways.

Again go with what you want but remember, the tested piece of software written by junior coder is better than untested one written by code maverick!

@mtangoo, I like the idea of ESA+OAuth2 with JWT. Do you have some links to tutorials implementing this in Rails and EmberJS?

The best I could find is two part simplistic @emberigniter tutorial found here That with official docs at ESA got me on track. If you have specific question after trying out I will be willing to help!

That being said, I use PHP and Yii framework so I don’t know how to do it in Rails!

Thanks for the reply @mtangoo!

did you succeed? Can you share your challenges?

I haven’t proceeded to putting up my backend yet. I already configured ESA and is mocking the authentication/authorization with ember-cli-mirage.

@mtangoo, what do you use for JWT together with ESA? is it ember-simple-auth-token?

I use ESA’s oauth2. My OAuth2 token is JWT.