Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hide Your Keys

Mathias Biilmann
May 13, 2017
Programming
0
220

Hide Your Keys

APIs and microservices open up an ever-expanding world of possibilities for JavaScript-driven interactivity and dynamic content. However, a question that’s often asked and rarely answered is, if all of your code is in the browser, where do you hide your secret API keys? This talk will cover strategies for this and for user authentication that rely on JSON Web Tokens and tiny APIs rather than a monolithic app server.

Mathias Biilmann

May 13, 2017
Tweet

More Decks by Mathias Biilmann

See All by Mathias Biilmann
React and the JAMstack - Reactathon Fundamentals 2018
biilmann
1
490
The JAMstack - Smashing Conf Freiburg 2017
biilmann
1
640
Rise of the JAMstack
biilmann
0
510
The JAM Stack
biilmann
21
10k
New Stack Lunch Presentation
biilmann
1
350
Comparing static site generators and how to onboard from a dynamic workflow
biilmann
3
1.7k

Other Decks in Programming

See All in Programming
KustoクエリのChatGPT Plugin!
tomokusaba
0
300
認知負荷で考えるフロントエンドの組織体制
shibe23
0
620
Astro 3.0入門
nozaki
0
200
Chatwork プロダクト本部 紹介資料(エンジニア向け)
chatwork_hr
1
2.6k
理解して導入するWebフレームワーク ~解決すべき課題に着目する~ / Understanding and implementing web frameworks ~focusing on the problems to be solved~
seike460
PRO
3
590
Kubernetesソースコードリーディング入門
bells17
15
2.9k
第4回 AWSとGitHub勉強会 - GitHub Actionsを使ったCD環境の構築 -
ogiwarat
0
130
Twillio SDKをFlutterアプリに統合した話/twilio-in-flutter
minma_curama
0
120
技術選定の審美眼(2023年版) / Understanding the Spiral of Technologies 2023 edition
twada
PRO
51
16k
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
490
EbitengineでGUIツール作ってみた
aethiopicuschan
0
270
Migrating From Spring Boot 2 To Spring Boot 3 - What's Jakarta EE Got To Do with It?
ivargrimstad
0
460

Featured

See All Featured
Building Effective Engineering Teams - LeadDev
addyosmani
21
950
Into the Great Unknown - MozCon
thekraken
7
600
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k
Clear Off the Table
cherdarchuk
81
300k
How GitHub (no longer) Works
holman
299
140k
Done Done
chrislema
178
15k
Design by the Numbers
sachag
272
18k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Imperfection Machines: The Place of Print at Facebook
scottboms
257
12k

Transcript

  1. Hide Your Keys
    Matt Biilmann, 2017

    View Slide

  2. Matt Biilmann
    CEO, Netlify

    View Slide

  3. Publishing for the modern web

    View Slide

  4. View Slide

  5. The Evolution of the Web
    Unix Model Legacy Web
    (The site needs to be built
    EVERY time it’s served)
    Modern Web
    ~1970-1997 ~1997-Today Now
    CLIENT
    WEB SERVER
    APP SERVER
    DATABASE
    CLIENT
    SERVER
    CLIENT
    CDN
    SERVICES

    View Slide

  6. Authenticating - Client <-> Server
    Unix Model Legacy Web
    (The site needs to be built
    EVERY time it’s served)
    Modern Web
    ~1970-1997 ~1997-Today Now
    CLIENT
    WEB SERVER
    APP SERVER
    DATABASE
    CLIENT
    SERVER
    CLIENT
    CDN
    SERVICES
    Stateful Protocol

    View Slide

  7. Authenticating - Client <-> Server
    Unix Model Legacy Web
    (The site needs to be built
    EVERY time it’s served)
    Modern Web
    ~1970-1997 ~1997-Today Now
    CLIENT
    WEB SERVER
    APP SERVER
    DATABASE
    CLIENT
    SERVER
    CLIENT
    CDN
    SERVICES
    Client Server
    user/pw
    Session

    View Slide

  8. Authenticating - Web Monolith
    Legacy Web
    (The site needs to be built
    EVERY time it’s served)
    Modern Web
    ~1997-Today Now
    CLIENT
    WEB SERVER
    APP SERVER
    DATABASE
    CLIENT
    CDN
    SERVICES
    HTTP - Stateless Protocol

    View Slide

  9. Authenticating - Web Monolith
    Legacy Web
    (The site needs to be built
    EVERY time it’s served)
    Modern Web
    ~1997-Today Now
    CLIENT
    WEB SERVER
    APP SERVER
    DATABASE
    CLIENT
    CDN
    SERVICES
    Browser Server
    user/pw
    Request (Cookie)
    DB
    User Lookup
    Create Session
    Session ID (Set-Cookie)
    Lookup Session
    Response (HTML)

    View Slide

  10. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    ?

    View Slide

  11. API Authentication
    GET /api/v1/sites HTTP/1.1
    Host: api.example.com
    Authorization: Bearer abcd1234
    SPA
    BROWSER
    CDN API
    How do we get an access token?

    View Slide

  12. API Authentication
    SPA
    BROWSER
    CDN API
    OAuth2
    Auth flow options:
    Resource Owner Password Credentials
    Implicit Grant
    Authorization Code

    View Slide

  13. OAuth2 - Resource Owner Password
    SPA
    BROWSER
    CDN API
    OAuth2
    POST /token HTTP/1.1
    Host: server.example.com
    Content-Type: application/x-www-form-urlencoded
    grant_type=password&username=johndoe&password=A3ddj3w
    App MUST have a deep trust relationship with API!

    View Slide

  14. OAuth2 - Implicit Grant
    SPA
    BROWSER
    CDN API
    OAuth2
    Trust established via redirect URL
    No need for any API secret

    View Slide

  15. OAuth2 - Implicit Grant
    SPA
    BROWSER
    CDN API
    Redirect to Auth Endpoint
    document.location.href =
    endpoint +
    `client_id=123&` +
    `response_type=token&` +
    `redirect_uri=` + document.location.href
    Auth Endpoint Redirects Back
    https://example.com/#access_token=abcd1234

    View Slide

  16. OAuth2 - Implicit Grant
    SPA
    BROWSER
    CDN API
    Gotchas
    The previous example has a security flaw!
    Should use a “state” query parameter
    Not widely supported by OAuth providers

    View Slide

  17. OAuth2 - Authorization Code
    SPA
    BROWSER
    CDN API
    Redirect to Auth Endpoint
    document.location.href =
    endpoint +
    `client_id=123&` +
    `response_type=code&` +
    `redirect_uri=` + document.location.href
    Auth Endpoint Redirects Back
    https://example.com/?code=SplxlOB

    View Slide

  18. OAuth2 - Authorization Code
    SPA
    BROWSER
    CDN API
    Exchange code for access_token
    POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0Mz
    grant_type=authorization_code&code=SplxlOB
    Auth Endpoint Returns Access Token

    View Slide

  19. OAuth2 - Authorization Code
    SPA
    BROWSER
    CDN API
    Exchange code for access_token
    POST /token HTTP/1.1
    Host: server.example.com
    Authorization: Basic czZCaGRSa3F0Mz
    grant_type=authorization_code&code=SplxlOB
    Auth Endpoint Returns Access Token
    We need our “Client Secret” to generate this!

    View Slide

  20. OAuth2 - Authorization Code
    SPA
    BROWSER
    CDN API
    Always needs a server side component when
    exchanging the authorization code for an
    access token or refresh token

    View Slide

  21. API Authentication
    SPA
    BROWSER
    CDN API
    Browser Server
    Request (Token)
    DB
    Lookup Session
    Response (JSON)

    View Slide

  22. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    ?

    View Slide

  23. Authenticating - SPA
    API

    View Slide

  24. Authenticating - JAMstack
    API
    API
    API
    API
    API

    View Slide

  25. Authenticating - JAMstack
    API
    API
    API
    API
    API

    View Slide

  26. Authenticating - JAMstack
    API
    API
    Auth API
    API
    API API
    • Tight Coupling
    • Single Point of Failure
    • Slow Performance

    View Slide

  27. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    JWT

    View Slide

  28. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    https://tools.ietf.org/html/rfc7519

    View Slide

  29. Authenticating - JWTs
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    What is a JWT?
    •A JWT is just string
    •It has 3 parts: header.payload.signature
    •It is signed with a secret and can be verified

    View Slide

  30. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    What is a JWT? Header
    Payload
    Signature

    View Slide

  31. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES

    View Slide

  32. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    What is a JWT?
    •Token identifies user (“sub” claim)
    •Token can authorize the user (“trust”)
    •Token can include display data

    View Slide

  33. Authenticating - JAMstack
    API
    API
    Auth API
    API
    API API

    View Slide

  34. API
    API
    API
    API
    API
    Auth API
    JWT
    JWT
    JWT
    JW
    T
    JWT
    JW
    T

    View Slide

  35. JWT Authentication
    SPA
    BROWSER
    CDN API
    Browser API
    Request (JWT)
    Response (JSON)
    Verify Signature + Claims

    View Slide

  36. JWT Authentication
    SPA
    BROWSER
    CDN API
    The API is not mine
    and doesn’t support JWTs!

    View Slide

  37. Authenticating - Micro Services
    t
    Modern Web
    CLIENT
    CDN
    SERVICES
    API Gateways
    Kong
    Gotiator
    AWS API Gateway

    View Slide

  38. API Authentication
    SPA
    BROWSER
    CDN API
    Browser Gateway
    Request (JWT)
    API
    Proxy (token)
    Response (JSON)
    Verify Signature +
    Claims

    View Slide

  39. Thank You
    Stateless Authentication + API Gateways +
    MicroServices = a decoupled architecture for the web
    @biilmann · www.netlify.com

    View Slide