JSON Web Tokens
17 likes2,725 views
- JSON Web Tokens (JWTs) are a compact and self-contained way for securely transmitting information between parties as JSON objects. JWTs can be signed using a secret or public/private key pair to provide verification of the token. - JWTs contain encoded JSON objects comprising three parts - a header, claims, and signature. The header describes the token type and signing algorithm. Claims contain the user identity and other data. The signature ensures the token hasn't been altered. - JWTs provide a number of advantages over traditional session cookies, including being more leightweight, easier to pass across domains, and not requiring server-side storage. They can also be used to implement stateless authentication for APIs.
JSON Web Tokens
- 2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
- 3. @ivanrosolen
- 5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
- 6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
- 7. API
- 8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer - 401 unauthorized / 403 forbidden
- 9. JOSE
- 10. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
- 11. Advantages
- 12. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
- 13. Anatomy
- 16. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
- 17. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
- 19. JWS - header - claims payload base64(header) . base64(claims)
- 20. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
- 21. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
- 23. Code
- 26. Github - Session - JWT - JOSE
- 27. Refs
- 28. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
- 29. ????