WTH is a JWT

•

0 gostou•312 visualizações

This is a talk given at CharmCityJS on May 2nd 2018. Chances are sooner or later your shiny new single page application will need authentication. Add some security and resource access control to that list as well. But how can we integrate all of this into a single page application that is entirely public? How can we ensure that our users only have access to the resources they are authorized to by hacking way in via the console? In this talk, the attendees will learn about l JSON Web Tokens (JWT) and see how they can be used to properly secure single page applications.

Tecnologia

WTH is a JWT
A Quick Intro To Token Based Authentication

@joel__lord
#i?JS18
About Me
@joel__lord
joellord

Traditional
Applications
! Browser requests a
login page

Traditional
Applications
! Browser requests a
login page
! The server validates
on its database

Traditional
Applications
! Browser requests a
login page
! The server validates
on its database
! It creates a session
and provides a
cookie identifier

What’s wrong with
traditional auth?
! Multiple platforms
connecting to your
application

What’s wrong with
traditional auth?
! Multiple platforms
connecting to your
application
! Tightly coupled

What’s wrong with
traditional auth?
! Multiple platforms
connecting to your
application
! Tightly coupled
! Sharing credentials
to connect to another
API

@joel__lord
CharmCityJS
Authentication Flows
Implicit Flow

JSON Web Token
! Header
! Payload
! Signature
Header
{
"alg": "HS256",
"typ": "JWT"
}
Payload
{
"sub": "1234567890",
"name": "Joel Lord",
"scope": "posts:read posts:write"
}
Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload), secret)

JSON Web Token
! Header
! Payload
! Signature
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG
9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY
WQgcG9zdHM6d3JpdGUifQ
Signature
XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg

JSON Web Token
! Header
! Payload
! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d
3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg

JSON Web Token
! Header
! Payload
! Signature
Image: https://jwt.io

$@joel__lord CharmCityJS Create a JWT // sign with default (HMAC SHA256) var jwt = require('jsonwebtoken'); var token = jwt.sign({ name: 'Joel Lord' }, 'secret');$

$@joel__lord CharmCityJS Create a JWT // sign with default (HMAC SHA256) var jwt = require('jsonwebtoken'); var token = jwt.sign({ name: 'Joel Lord' }, 'secret'); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0Ijox NTI1MTc2NDI3fQ.V89hohVfp1uVNfunkpdl ewNyvGCX5iPPxe1YpM-RqRg$

@joel__lord
CharmCityJS
Validate a JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0IjoxNTI1MTc2NDI3fQ
.V89hohVfp1uVNfunkpdlewNyvGCX5iPPxe1YpM-RqRg

$@joel__lord CharmCityJS Validate a JWT var jwt = require('jsonwebtoken'); // verify a token var data = jwt.verify(token, 'secret'); console.log(data); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0IjoxNTI1MTc2NDI3fQ .V89hohVfp1uVNfunkpdlewNyvGCX5iPPxe1YpM-RqRg { "name": "Joel Lord", "iat": 1525176427 }$

@joel__lord
CharmCityJS
Front-End
Add the headers

Live Demo
https://github.com/joellord/
secure-spa-auth0

WTH is a JWT
@joel__lord
joellord
Charm City JS
May 2nd, 2018

Mais conteúdo relacionado

Mais procurados

エンタープライズの視点からFIDOとFederationのビジネスを考えるMasaru Kurahayashi

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tkNov Matake

FIDO alliance #idcon vol.18Nov Matake

SAML VS OAuth 2.0 VS OpenID ConnectUbisecure

FIDO Specifications Overview: UAF & U2FFIDO Alliance

Authentication ConceptsCharles Southerland

mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak

Authlete: API Authorization Enabler for API EconomyTatsuo Kudo

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...CA API Management

FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance

OpenID Connect: The new standard for connecting to your Customers, Partners, ...Salesforce Developers

Security Cas And Open IdConSanFrancisco123

CIS14: An Overview of FIDO's Universal Factor (UAF) SpecificationsCloudIDSummit

FIDO UAF 1.0 Specs: Overview and InsightsFIDO Alliance

Mais procurados (15)

エンタープライズの視点からFIDOとFederationのビジネスを考える

OAuth 2.0 & OpenID Connect @ OpenSource Conference 2011 Tokyo #osc11tk

FIDO alliance #idcon vol.18

SAML VS OAuth 2.0 VS OpenID Connect

FIDO Specifications Overview: UAF & U2F

Authentication Concepts

mDevCamp 2016 - Zingly, or how to design multi-banking app

Authlete: API Authorization Enabler for API Economy

Mobile Single-Sign On: Extending SSO Out to the Client - Layer 7's CTO Scott ...

FIDO UAF 1.0 Specs: Overview and Insights

OpenID Connect: The new standard for connecting to your Customers, Partners, ...

Security Cas And Open Id

CIS14: An Overview of FIDO's Universal Factor (UAF) Specifications

FIDO UAF 1.0 Specs: Overview and Insights

Semelhante a WTH is a JWT

I Don't Care About Security (And Neither Should You)Joel Lord

API Security FundamentalsJosé Haro Peralta

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other WorldsCloudIDSummit

Claim based authentaicationSean Xiong

Securing Web Applications with Token AuthenticationStormpath

FIDO & Strong Authentication Technology LandscapeFIDO Alliance

Are Bot Operators Eating Your Lunch?Distil Networks

APIs: The New Security LayerApigee | Google Cloud

FIDO UAF Specifications: Overview & Tutorial FIDO Alliance

Enhancing your Security APIsApigee | Google Cloud

OAuth 1.0simonetripodi

api_slides.pptxadewad

Token Authentication for Java ApplicationsStormpath

Protecting Your APIs Against Attack & Hijack CA API Management

Hackers versus Developers and Secure Web ProgrammingAkash Mahajan

apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...apidays

Distributed Authorization with Open Policy Agent.pdfNordic APIs

Rtp rsp16-distil networks-final-deckG3 Communications

Building the Social Web with OpenIDSimon Willison

Mit 2014 introduction to open id connect and o-auth 2Justin Richer

Semelhante a WTH is a JWT (20)

I Don't Care About Security (And Neither Should You)

API Security Fundamentals

CIS13: Taking the Hyperspace Bypass: Controlling User Access to Other Worlds

Claim based authentaication

Securing Web Applications with Token Authentication

FIDO & Strong Authentication Technology Landscape

Are Bot Operators Eating Your Lunch?

APIs: The New Security Layer

FIDO UAF Specifications: Overview & Tutorial

Enhancing your Security APIs

OAuth 1.0

api_slides.pptx

Token Authentication for Java Applications

Protecting Your APIs Against Attack & Hijack

Hackers versus Developers and Secure Web Programming

apidays Helsinki & North 2023 - API authorization with Open Policy Agent, And...

Distributed Authorization with Open Policy Agent.pdf

Rtp rsp16-distil networks-final-deck

Building the Social Web with OpenID

Mit 2014 introduction to open id connect and o-auth 2

Mais de Joel Lord

From Ceasar Cipher To Quantum CryptographyJoel Lord

I Don't Care About Security (And Neither Should You)Joel Lord

Forgot Password? Yes I Did!Joel Lord

I Don't Care About Security (And Neither Should You)Joel Lord

Mot de passe oublié? Absolument!Joel Lord

Asynchronicity: concurrency. A tale ofJoel Lord

Learning Machine LearningJoel Lord

Forgot Password? Yes I Did!Joel Lord

WTH is a JWTJoel Lord

I Don't Care About Security (And Neither Should You)Joel Lord

Forgot Password? Yes I Did!Joel Lord

I Don't Care About Security (And Neither Should You)Joel Lord

Asynchonicity: concurrency. A tale ofJoel Lord

I Don't Care About Security Joel Lord

I Don't Care About Security (And Neither Should You)Joel Lord

Learning Machine LearningJoel Lord

Rise of the NodebotsJoel Lord

Mais de Joel Lord (20)

From Ceasar Cipher To Quantum Cryptography

I Don't Care About Security (And Neither Should You)

Forgot Password? Yes I Did!

I Don't Care About Security (And Neither Should You)

Mot de passe oublié? Absolument!

Asynchronicity: concurrency. A tale of

Learning Machine Learning

Forgot Password? Yes I Did!

WTH is a JWT

I Don't Care About Security (And Neither Should You)

Forgot Password? Yes I Did!

I Don't Care About Security (And Neither Should You)

Asynchonicity: concurrency. A tale of

I Don't Care About Security

I Don't Care About Security (And Neither Should You)

Learning Machine Learning

Rise of the Nodebots

Último

ICT role in 21st century education and its challengesrafiqahmad00786416

2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbuapidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays

A Year of the Servo Reboot: Where Are We Now?Igalia

GenAI Risks & Security Meetup 01052024.pdflior mazor

Real Time Object Detection Using Open CVKhem

Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer

How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes

"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz

Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez

MINDCTI Revenue Release Quarter One 2024MIND CTI

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

WTH is a JWT

1. WTH is a JWT A Quick Intro To Token Based Authentication

2. @joel__lord #i?JS18 About Me @joel__lord joellord

3. Traditional Applications ! Browser requests a login page

4. Traditional Applications ! Browser requests a login page

5. Traditional Applications ! Browser requests a login page

6. Traditional Applications ! Browser requests a login page ! The server validates on its database

7. Traditional Applications ! Browser requests a login page ! The server validates on its database 👍

8. Traditional Applications ! Browser requests a login page ! The server validates on its database ! It creates a session and provides a cookie identifier

9. What’s wrong with traditional auth? ! Multiple platforms connecting to your application

10. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled

11. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API

12. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks

13. Token Based Auth !

14. OAuth

15. @joel__lord CharmCityJS Authentication Flows Implicit Flow

16. @joel__lord CharmCityJS Authentication Flows Implicit Flow

17. @joel__lord CharmCityJS Authentication Flows Implicit Flow

18. @joel__lord CharmCityJS Authentication Flows Implicit Flow

19. JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "scope": "posts:read posts:write" } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

20. JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg

21. JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg

22. JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io

23. Code

24. Authentication Create a JWT

25. @joel__lord CharmCityJS Create a JWT // sign with default (HMAC SHA256) var jwt = require('jsonwebtoken'); var token = jwt.sign({ name: 'Joel Lord' }, 'secret');

26. @joel__lord CharmCityJS Create a JWT // sign with default (HMAC SHA256) var jwt = require('jsonwebtoken'); var token = jwt.sign({ name: 'Joel Lord' }, 'secret'); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0Ijox NTI1MTc2NDI3fQ.V89hohVfp1uVNfunkpdl ewNyvGCX5iPPxe1YpM-RqRg

27. @joel__lord CharmCityJS Create a JWT // sign with default (HMAC SHA256) var jwt = require('jsonwebtoken'); var token = jwt.sign({ name: 'Joel Lord' }, 'secret'); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0Ijox NTI1MTc2NDI3fQ.V89hohVfp1uVNfunkpdl ewNyvGCX5iPPxe1YpM-RqRg { "name": "Joel Lord", "iat": 1525176427 }

28. API Validate a JWT

29. @joel__lord CharmCityJS Validate a JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0IjoxNTI1MTc2NDI3fQ .V89hohVfp1uVNfunkpdlewNyvGCX5iPPxe1YpM-RqRg

30. @joel__lord CharmCityJS Validate a JWT var jwt = require('jsonwebtoken'); // verify a token var data = jwt.verify(token, 'secret'); console.log(data); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0IjoxNTI1MTc2NDI3fQ .V89hohVfp1uVNfunkpdlewNyvGCX5iPPxe1YpM-RqRg

31. @joel__lord CharmCityJS Validate a JWT var jwt = require('jsonwebtoken'); // verify a token var data = jwt.verify(token, 'secret'); console.log(data); eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9lbCBMb3JkIiwiaWF0IjoxNTI1MTc2NDI3fQ .V89hohVfp1uVNfunkpdlewNyvGCX5iPPxe1YpM-RqRg { "name": "Joel Lord", "iat": 1525176427 }

32. Front End Handle a JWT

33. @joel__lord CharmCityJS Front-End Add the headers

34. Live Demo https://github.com/joellord/ secure-spa-auth0

35. Delegation!

36. WTH is a JWT @joel__lord joellord Charm City JS May 2nd, 2018