Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

DamirSvrtan
September 14, 2016

JSON Web Tokens

A presentation about JSON Web Tokens and all the pros and cons of using them. Also a note on integrating it with Rails.

DamirSvrtan

September 14, 2016
Tweet

More Decks by DamirSvrtan

Other Decks in Programming

Transcript

  1. JSON Web Tokens
    DAMIR SVRTAN

    View Slide

  2. 01
    JSON API AUTHENTICATION

    View Slide

  3. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    ACCESS_TOKEN=RAND0M$TR1N6

    View Slide

  4. CLIENT
    SERVER
    ARTICLES?ACCESS_TOKEN=RAND0M$TR1N6

    View Slide

  5. 02
    SINGLE ACCESS TOKEN PER
    USER

    View Slide

  6. id email password auth_token
    1 [email protected] $2a$10$5FkD.. 23ZS921a
    USERS TABLE

    View Slide

  7. GENERATE A RANDOM AUTH TOKEN
    class User
    before_save :generate_auth_token
    def generate_auth_token
    loop do
    self.auth_token = Devise.friendly_token
    break if User.find_by_auth_token(auth_token).nil?
    end
    end
    end

    View Slide

  8. PROBLEMS WITH THE SINGLE
    ACCESS TOKEN APPROACH

    View Slide

  9. STORING IT IN PLAIN TEXT

    View Slide

  10. Is it the same as storing passwords in plain text?
    ALMOST.

    View Slide

  11. Passwords
    • when compromised are difficult to change
    • reveal information about people who created them
    • people use them across several services

    View Slide

  12. Authentication Tokens
    • auto-generated, random, unique (not shared
    across multiple services).
    • when compromised can be renewed easily with
    little user inconvenience

    View Slide

  13. NAIVE IMPLEMENTATIONS
    NEVER EXPIRE THEM

    View Slide

  14. 03
    SINGLE HASHED ACCESS
    TOKEN PER USER

    View Slide

  15. NOT STORING IT IN PLAIN
    TEXT

    View Slide

  16. PROBLEMS WITH THE SINGLE
    HASHED ACCESS TOKEN
    APPROACH

    View Slide

  17. BROWSER
    SERVER
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    ACCESS_TOKEN=RAND0M
    $TR1N6
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    MOBILE
    ACCESS_TOKEN=ANOTHER-RAND0M
    $TR1N6

    View Slide

  18. 04
    MULTIPLE HASHED ACCESS
    TOKENS PER USER

    View Slide

  19. MAINTAINING A SEPARATE
    TABLE OF ACCESS TOKENS

    View Slide

  20. COMPLICATING TOO
    MUCH..

    View Slide

  21. ROLLING YOUR OWN
    AUTHENTICATION SYSTEM

    View Slide

  22. 01
    WHO ARE WE?

    View Slide

  23. WHY DON’T WE TRY TO DO
    THE SAME THING AS RAILS
    APPS REGULARLY DO?

    View Slide

  24. 05
    RAILS SESSION STORAGE

    View Slide

  25. session[:user_id] = current_user.id

    View Slide

  26. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    SET-COOKIE: PRODUCTIVE_SESSION=23OFSKL932RDASDAFSFJ23

    View Slide

  27. User.find(session[:user_id])

    View Slide

  28. STATELESS

    View Slide

  29. WE COULD DO SOMETHING
    SIMILAR…
    …OR FOLLOW AN INDUSTRY
    STANDARD

    View Slide

  30. 06
    JSON WEB TOKENS

    View Slide

  31. JSON Web Tokens are an open,
    industry standard method for
    representing claims securely between
    two parties.

    View Slide

  32. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    ACCESS_TOKEN=33WE.DAS3Q.ADAS

    View Slide

  33. TO THE API CONSUMER IT
    CAN LOOK RANDOM..
    BUT IT’S MUCH MORE

    View Slide

  34. IT STORES INFORMATION
    INSIDE OF IT.

    View Slide

  35. View Slide

  36. 07
    JWT STRUCTURE

    View Slide

  37. ABASASD.U93RJADSF.ASASD

    View Slide

  38. HEADER.PAYLOAD.SIGNATURE

    View Slide

  39. {
    "typ": "JWT",
    "alg": "HS256"
    }
    HEADER

    View Slide

  40. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
    BASE64 ENCODED HEADER

    View Slide

  41. {
    "iss": "infinum.co",
    "exp": 1300819380,
    "name": "Kolega Frend",
    "user_id": 231
    }
    BODY

    View Slide

  42. iss: The issuer of the token
    sub: The subject of the token
    aud: The audience of the token
    exp: This will define the expiration in NumericDate
    value.
    nbf: Defines the time before which the JWT MUST NOT be
    accepted for processing
    iat: The time the JWT was issued. Can be used to
    determine the age of the JWT
    BODY CLAIMS

    View Slide

  43. eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE
    BASE64 ENCODED BODY

    View Slide

  44. encoded_string = Base64.encode64(header) + "." + Base64.encode64(payload);
    OpenSSL::HMAC.hexdigest(
    OpenSSL::Digest.new(‘sha256'),
    Rails.application.secrets.secret_key_base,
    encoded_string
    )
    GENERATE A SIGNATURE

    View Slide

  45. SIGNATURE
    03f329983b86f7d9a9f5fef85305880101d

    View Slide

  46. JSON WEB TOKEN
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE.
    03f329983b86f7d9a9f5fef85305880101d

    View Slide

  47. THEY CARRY INFORMATION
    INSIDE OF THEMSELVES JUST
    LIKE RAILS SESSIONS DO

    View Slide

  48. 08
    JWT AND RAILS SESSION
    DIFFERENCES

    View Slide

  49. RAILS SESSIONS ARE
    ENCRYPTED
    JWT’S ARE SIGNED

    View Slide

  50. RAILS SESSIONS CAN’T BE
    READ ON THE CLIENT SIDE
    JWT’S CAN BE READ ON THE
    CLIENT SIDE

    View Slide

  51. SECRET INFORMATION IN
    JWT’S MUST BE EXPLICITLY
    ENCRYPTED

    View Slide

  52. 09
    JWT ADVANTAGES

    View Slide

  53. SAFELY SHARE DATA WITH
    THE CLIENT APP

    View Slide

  54. NOT REINVENTING THE
    WHEEL - USING AN
    INDUSTRY STANDARD.

    View Slide

  55. PERSISTENCE LAYER
    AGNOSTIC - SINCE YOU
    DON’T PERSIST IT!
    ACTIVERECORD/SEQUEL/MONGODB/NEO4J

    View Slide

  56. AUTOMATIC TIME-BASED
    EXPIRATION HANDLING

    View Slide

  57. NO SESSION LOOKUP

    View Slide

  58. SINGLE-SIGN-ON ACROSS
    MULTIPLE APPLICATIONS
    WITH UUIDS

    View Slide

  59. MACHINE-TO-MACHINE
    INFORMATION SHARING

    View Slide

  60. 09
    JWT DISADVANTAGES

    View Slide

  61. NO LOGOUTS

    View Slide

  62. HARDER TOKEN REVOCATION

    View Slide

  63. 10
    JWT REVOCATION

    View Slide

  64. FLAG A USER AS DISABLED

    View Slide

  65. DISABLE TOKENS WITH AN
    IAT CLAIM OLDER THAN
    14.09.2016

    View Slide

  66. INSERT AN USERS
    ENCRYPTED PASSWORD HASH
    INTO THE PAYLOAD

    View Slide

  67. 10
    STORING TOKENS ON THE
    FRONTEND

    View Slide

  68. LOCALSTORAGE
    XSS

    View Slide

  69. COOKIES
    XSS + CSRF

    View Slide

  70. View Slide

  71. HTTP ONLY COOKIE
    CSRF

    View Slide

  72. 11
    RAILS IMPLEMENTATIONS

    View Slide

  73. View Slide

  74. 12
    DEBUG JSON WEB TOKENS

    View Slide

  75. View Slide