Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing RESTful APIs with JSON Web Tokens(JWTs)

Securing RESTful APIs with JSON Web Tokens(JWTs)

JSON Web Token (JWT) is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is a common mechanism for securing RESTful web APIs. It grants developers the ability to authenticate and authorize users to access their APIs.
We will focus on sharing the fundamental concepts of web security and a practical way of using JWT for authentication and authorization. We will share how to implement secure RESTful APIs that use JWT and how JWT enhances the security of web applications.

Clifford Ouma

August 20, 2023
Tweet

More Decks by Clifford Ouma

Other Decks in Technology

Transcript

  1. About XYZ Only registered users are able to access the

    inventory to see what's on offer Registered users are able to Admins can add books and do a whole load of stuff Administrators get more priviledge
  2. CLIENT SERVER FINDS USER ID AND ROLE YOU ARE A

    USER OF ID 4"" ACCESS API "I AM A USER OF ID 4 " RETURN AUTHORIZED DATA CHECK DATA FOR USER 4 LOG IN
  3. SERVER LOG IN FINDS USER ID AND ROLE YOU ARE

    A USER OF ID 4"" ACCESS API "I AM AN ADMIN OF ID 5 " RETURN AUTHORIZED DATA CHECK DATA FOR ADMIN 5 MALICIOUS USER CHANGES ID & ROLE CLIENT
  4. FINDS USER ID AND ROLE ACCESS API JWT RETURN AUTHORIZED

    DATA DECODES JWT TO GET USER ID AND ROLE LOG IN JWT CLIENT SERVER
  5. FINDS USER ID AND ROLE VERIFICATION FAILS LOG IN CLIENT

    SERVER JWT ACCESS API MODIFIED JWT MODIFIES JWT
  6. AM I ? CLIFFORD OUMA OSS Community Manager, Open Terms

    Archive Frontend Developer, Applantus WHO
  7. Our mission Authenticate users to see books Authorize admins only

    to be able to add books We are to help Njoroge implement JSON Web Tokens to his bookstore to be able to:
  8. IMPLEMENTING JWT IN A RESTFUL API What to takenote when

    implementing JWTs to a REST API UNDERSTANDING JWTS How JWTs work under the hood SIMPLE DEMO We'll do a simple demo of the implementation WHAT WE WILL COVER 01 02 03
  9. User logs in Session ID provided Session ID used to

    authenticate Session-based Authentication Server validates and creates a session in DB A session ID is sent to client and saved as a cookie Session ID used in subsequent requests and authenticates user Token-based Authentication User logs in A JWT is generated upon successful login JWT provided JWT is provided in to the client and usually stored in local storage JWT used to authenticate JWT sent in auth header for subsequent requests, is verified and authenticates user
  10. WHAT IS A JSON WEB TOKEN (JWT) Is an open

    standard 01 it is compact and self contained 02 Helps in transmission of info as JSON object 03 Is digitally signed hence trusted 03
  11. PAYLOAD (YYY) JWT COMPONENTS Contains the token type and the

    hashing algorithm Is Base64Url encoded to form HEADER (XXX) Contains the information being transmitted (claims) Can be reserved, public or private claims Is Base64url encoded Created encoded header and payload Signs both with a secret and uses algo in the header SIGNATURE (ZZZ) XXX.YYY.ZZZ
  12. ACCESS TOKEN Is a JWT to give access to certain

    data Is short-lived BEFORE IMPLEMENTATION REFRESH TOKEN Is a JWT that helps create a new access token upon expiry Is long-lived ACCESS TOKEN Is a JWT to give access to certain data Is short-lived
  13. We need to create a JWT upon login Generating a

    JWT We need to verify and decode JWT upon user request Verify JWT We need to allow or deny access based on authorization Confirm authorization We need to generate Generate new token upon expiry Basic implementation cases The basic scenarios that need to be catered for
  14. Generating a JWT We generate both an access token and

    a refresh token upon successful login
  15. Verifying a JWT We verify any JWT and access the

    payload which is used for authorization
  16. CONCLUSION VERSATILE SECURE AND VERIFIABLE SELF CONTAINED & COMPACT JWTs

    can have various purposes: auth, info exchange e.t.c Are encrypted and signed by the issuer The JWT contains all the required info needed Why you should consider JWTs