Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The proper way to use JWTs for API Authorization on the web

Adam L Barrett
March 15, 2019
Programming
0
150

The proper way to use JWTs for API Authorization on the web

Using JSON Web Tokens (JWTs) for API Authorization can have awesome benefits over the more traditional session-ids approach: stateless verification/authorization, cross-domain and being client-side readable, but using JWTs on the web can be contentious. There is a lot of concern (and a lot of FUD spread) about using JWTs in web apps, specifically about storing the JWT in localstorage, but luckily there is a better way...

Adam L Barrett

March 15, 2019
Tweet

More Decks by Adam L Barrett

See All by Adam L Barrett
Server-Side Rendering for any JS Framework
bigab
1
58
The easiest way to secure your JAM Stack apps user data
bigab
0
190
Think Async: Asynchronous Patterns in NodeJS
bigab
1
270
The Modlet Pattern: A better way to organize your front-end code
bigab
0
210

Other Decks in Programming

See All in Programming
Try creating your own orderedmap
kazamori
1
150
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
270
Goのエラースタックトレースの歴史と今後
sonatard
9
1.7k
TCAとKMPを用いた新規動画配信アプリ 「ABEMA Live」の設計
tomu28
2
120
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
380
Going beyond Apache Parquet's default settings
xhochy
0
120
Site Reliability Engineering for GMO
pyama86
8
1.1k
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
AWS CDKコントリビュートTIPS / aws-cdk-contribution-tips
gotok365
3
310
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
310
AmperとFleetを使ったAndroidアプリ
yoppie
0
240
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
8
1.3k

Featured

See All Featured
A designer walks into a library…
pauljervisheath
201
23k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
275
13k
Happy Clients
brianwarren
92
6.4k
It's Worth the Effort
3n
180
27k
Typedesign – Prime Four
hannesfritz
36
2.1k
Practical Orchestrator
shlominoach
183
9.7k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
BBQ
matthewcrist
80
8.8k
Building Flexible Design Systems
yeseniaperezcruz
320
37k
Infographics Made Easy
chrislema
238
18k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
6
1.3k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k

Transcript

  1. JWTs for API Authorization THE PROPER WAY TO USE ON

    THE WEB @adamlbarrett BigAB
  2. None
  3. None
  4. None

  5. OKAY, SO LET’S TALK ABOUT JSON-WEB TOKENS (JWT)

  6. JSON-WEB-TOKENS FUD ▸ Fear ▸ Uncertainty ▸ Doubt

  7. WHAT ARE THEY? JSON WEB TOKENS

  8. JSON WEB TOKENS HEADER . PAYLOAD . SIGNATURE

  9. JWTs

  10. JWTs

  11. WHAT ELSE COULD YOU USE JWTs for?

  12. VS

  13. AUTHORIZATION: BEARER <TOKEN> COOKIE: SESSION=<SESSIONID>;

  14. WHERE TO STORE? JWTs

  15. None
  16. None

  17. JSON WEB TOKENS LOCALSTORAGE

  18. None

  19. “THE IDEA IS TO REDUCE THE ATTACK SURFACE. A CODE-SPECIFIC

    ATTACK IS GOING TO DO MORE DAMAGE, EXPLOIT MORE HOLES, ETC. BUT A BLANKET ATTACK CAN LOOP OVER 1000 GENERIC SITES LOCALSTORAGE AND EXTRACT EVERYTHING WITHOUT NEEDING TO WRITE ANY CODE” Luke Oliff from Auth0
  20. None

  21. XSS is the worst… When you keep JWTs in local

    storage
  22. None

  23. JSON WEB TOKENS LOCALSTORAGE ?

  24. JSON WEB TOKENS THE REAL BENEFITS OF JWTs ▸ Stateless

    verification/authorization ▸ Client-side readable

  25. JSON WEB TOKENS THE REAL BENEFITS OF NOT USING COOKIES

    ▸ Cross Domain ▸ No Cross-Site Request Forgery (CSRF)

  26. JSON WEB TOKENS THE REAL CONS ▸ inability to revoke

    a users access without revoking everyones access ▸ Easy to misuse (like localstorage)

  27. JSON WEB TOKENS THE REAL BENEFITS OF SESSION COOKIES ▸

    Better defended from blanket XSS ▸ Ability to revoke access ▸ Battle Hardend Assuming `httpOnly`, `secure`, and `sameSite`

  28. JSON WEB TOKENS THE REAL CONS OF SESSION COOKIES ▸

    vulnerable to CSRF
 (sameSite flag mitigates this) ▸ not cross-domain ▸ Not client-side readable ▸ stateful verification

  29. WHICH OF THOSE BENEFITS SUITES YOUR NEEDS? The real question

    JSON WEB TOKENS

  30. WEB APP TRADITIONAL

  31. WEB APP TRADITIONAL

  32. WEB APP TRADITIONAL

  33. SPA / PWA SINGLE PAGE APPS

  34. SPA / PWA SINGLE PAGE APPS

  35. JSON WEB TOKENS BUT DON’T… Store it in localstorage Re-implement

    sessions Do this yourself

  36. FULL DISCLOSURE Auth0 Ambassador Program

  37. None

  38. BUT WHAT IF YOU HAVE TO…?

  39. Steps to making your SPA or JAMstack app use JWTs

    for authentication the right way ADAM L BARRETT’S

  40. 1.
 HAVE A SEPARATE AUTH SERVICE

  41. 2.
 REDIRECT OUT OF YOUR APP TO THE IDENTITY SERVICE

  42. 3.
 HAVE THE AUTH SERVICE USE SESSIONS

  43. 4.
 GIVE OUT ACCESS TOKENS ON SUCCESSFUL AUTHENTICATION AND AUTHORIZATION

  44. 5.
 KEEP ACCESS TOKENS EXPIRY SHORT

  45. 6.
 USE THE IFRAME SESSION-CHECK TECHNIQUE FOR USER EXPERIENCE

  46. None

  47. THE IFRAME SESSION-CHECK TECHNIQUE WHAT IS…?

  48. JSON WEB TOKENS AN IFRAME FROM YOUR APP TO YOUR

    AUTH SERVICE… PostMessage

  49. BEST OF BOTH WORDS JWTs are not in localstorage, and

    the UX is still good

  50. JSON WEB TOKENS QUICK RECAP ▸ Storing JWTs in localstorage

    is bad ▸ Don’t handle auth yourself, leave it to experts ▸ Only use JWTs if you benefit from ▸ Stateless verification ▸ Client side readability ▸ Recognize and avoid both FUD and Hype

  51. @adamlbarrett BigAB JWTs for API Authorization THE PROPER WAY TO

    USE ON THE WEB Questions?