PHP Experience 2016 - [Palestra] Json Web Token (JWT)
2 likes2,166 views
The document discusses JSON Web Tokens (JWTs) and their application in authentication and authorization, along with various related technologies and concepts, such as OAuth, CSRF protection, and stateless authentication. It outlines the structure of a JWT including the header, claims, and signature, and emphasizes their advantages in cross-language compatibility and security. Additionally, it provides resources for further learning and practical examples of JWT implementation.
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://image.slidesharecdn.com/17h00ivanrosolen-160331183444/85/PHP-Experience-2016-Palestra-Json-Web-Token-JWT-27-320.jpg)
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://image.slidesharecdn.com/17h00ivanrosolen-160331183444/85/PHP-Experience-2016-Palestra-Json-Web-Token-JWT-28-320.jpg)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
- 2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
- 3. @ivanrosolen
- 5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
- 6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
- 7. API
- 8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
- 9. - Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
- 10. JOSE
- 11. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
- 12. Advantages
- 13. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
- 14. Anatomy
- 17. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
- 18. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
- 20. JWS - header - claims payload base64(header) . base64(claims)
- 21. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
- 22. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
- 24. Screencast Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos. https://www.youtube.com/watch?v=k3KfK0ZS_FY
- 25. Warning!
- 26. Code
- 29. Github - Session - JWT - JOSE
- 30. Refs
- 31. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
- 32. ????