Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT

Alan Michel Willms Quinot
January 18, 2017
Programming
0
49

 JWT

Alan Michel Willms Quinot

January 18, 2017
Tweet

More Decks by Alan Michel Willms Quinot

See All by Alan Michel Willms Quinot
Do RPC ao GraphQL
alanwillms
0
39
Webpack ❤ Vue.js
alanwillms
0
24
PHP – principais novidades do 5.3 ao 5.6
alanwillms
0
48

Other Decks in Programming

See All in Programming
Code Reviews
bkuhlmann
4
890
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
110
try! Swift Tokyo 2024のLT枠に採択されたプロポーザルを出すときに考えていたこと
ski
0
350
Git Rebase
bkuhlmann
11
1.6k
"config" ってなんだ? / What is "config"?
okashoi
0
240
データアナリストが行うDatabricksを活用したETLの自動化事例
shinoa
0
260
⼤規模⾔語モデルの拡張(RAG)が 終わったかも知れない件について
nearme_tech
23
15k
Zero Waste, Radical Magic, and Italian Graft – Quarkus Efficiency Secrets
hollycummins
0
230
今、知っておきたい! 生成AIエージェントの世界
elith
3
350
PHP8.3の機能を振り返る / Review of PHP 8.3 features
seike460
PRO
1
110
Git Lint
bkuhlmann
4
750

Featured

See All Featured
Automating Front-end Workflow
addyosmani
1355
200k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
Learning to Love Humans: Emotional Interface Design
aarron
266
39k
Design by the Numbers
sachag
274
18k
Code Reviewing Like a Champion
maltzj
513
39k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
KATA
mclloyd
14
12k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
The Invisible Side of Design
smashingmag
294
49k
The Cost Of JavaScript in 2023
addyosmani
15
3.8k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
119
39k
Making Projects Easy
brettharned
108
5.5k

Transcript

  1. JWT

  2. Vamos falar sobre: •Cookies •Tokens •JWT

  3. COOKIES

  4. Cookie •Fica salvo em arquivo ou base •Não tem um

    padrão •Sujeito a ataques CSRF

  5. CSRF? •Cross-Site Request Forgery •(Falsificação de requisição entre sites)

  6. None
  7. None
  8. None

  9. TOKENS

  10. Tokens

  11. NossosTokens • São estão inseguros •São só um birlbirlbirl

  12. JWT

  13. JSONWEB TOKENS

  14. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6I kpXVCJ9.eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvaG4g RG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ

  15. JWT base64(cabeçalho) . base64(conteúdo) . hash( base64(cabeçalho), base64(conteúdo), “segredo” )

  16. JWT { "alg": "HS256", "typ": "JWT" } . conteúdo .

    assinatura

  17. JWT { "alg": "HS256", "typ": "JWT" } . { "sub":

    "3461", "name": "Alan", "admin": true } . assinatura

  18. JWT { "alg": "HS256", "typ": "JWT" } . { "sub":

    "3461", "name": "Alan", "admin": true } . assinatura

  19. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6I kpXVCJ9 . { "sub": "3461", "name": "Alan", "admin":

    true } . assinatura

  20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 . assinatura

  21. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 . assinatura

  22. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXV CJ9 . eyJzdWIiOiIxMjM0NTY3ODkwIiwib mFtZSI6IkpvaG4gRG9lIiwiYWRtaW4i OnRydWV9 . TJVA95OrM7E2cBab30RMHrHDcEfxj oYZgeFONFh7HgQ

  23. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6I kpXVCJ9.eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvaG4g RG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrH DcEfxjoYZgeFONFh7HgQ

  24. JWT •Padronizado •Compacto •Auto-contido •Seguro

  25. None

  26. O que significa JWT? JSON WEB TOKEN

  27. Como evitar ataques CSRF? Não usar cookies para autenticação, gerar

    um token de proteção para cada requisição, etc.

  28. Quais sãoas partes de um JsonWeb Token? Cabeçalho.Conteúdo.Assinatura

  29. O que possomandarno conteúdo do JWT? Qualquer coisa, mas não

    muito!

  30. Onde o Token está desprotegido? # Método URL Headers Corpo

    1 GET http://site.com?token=secret 2 GET https://site.com?token=secret 3 POST http://site.com token=secret 4 POST https://site.com token=secret 5 GET http://site.com Authorization secret 6 GET https://site.com Authorization secret

  31. Onde o Token está desprotegido? # Método URL Headers Corpo

    1 GET http://site.com?token=secret 2 GET https://site.com?token=secret 3 POST http://site.com token=secret 4 POST https://site.com token=secret 5 GET http://site.com Authorization secret 6 GET https://site.com Authorization secret

  32. FIM! HTTPS://JWT.IO/