Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

DamirSvrtan
September 14, 2016
Programming
0
190

JSON Web Tokens

A presentation about JSON Web Tokens and all the pros and cons of using them. Also a note on integrating it with Rails.

DamirSvrtan

September 14, 2016
Tweet

More Decks by DamirSvrtan

See All by DamirSvrtan
Designing APIs: Less Data is More
damirsvrtan
1
450
Crossing Domain Boundaries with GraphQL
damirsvrtan
0
140
Surrounded by Microservices
damirsvrtan
2
5.2k
Building Serverless Ruby Bots @ Ruby Conf 2018
damirsvrtan
0
400
Building Serverless Ruby Bots @ Paris.rb Conf 2018
damirsvrtan
1
2.2k
Importing and serving millions of records
damirsvrtan
1
150
Stateless authentication w/ JSON Web Tokens
damirsvrtan
5
300
Building Ruby Bots on AWS Lambda
damirsvrtan
0
1.1k
Reinventing The Bootcamp Idea
damirsvrtan
0
180

Other Decks in Programming

See All in Programming
Vibe Coding の話をしよう
schroneko
8
2.3k
Module Boundaries and Architecture with Forensic Analysis @NxSummit Amsterdam 2025
manfredsteyer
PRO
0
100
メモリウォールを超えて:キャッシュメモリ技術の進歩
kawayu
0
1.9k
小田原でみんなで一句詠みたいな #phpcon_odawara
stefafafan
0
340
「”誤った使い方をすることが困難”な設計」で良いコードの基礎を固めよう / phpcon-odawara-2025
taniguhey
0
160
Deoptimization: How YJIT Speeds Up Ruby by Slowing Down / RubyKaigi 2025
k0kubun
0
860
サービスクラスのありがたみを発見したときの思い出 #phpcon_odawara
77web
4
680
「理解」を重視したAI活用開発
fast_doctor
0
120
Enterprise Web App. Development (1): Build Tool Training Ver. 5
knakagawa
1
120
Defying Front-End Inertia: Inertia.js on Rails
skryukov
0
490
SwiftUI API Design Lessons
niw
1
290
AWSで雰囲気でつくる! VRChatの写真変換ピタゴラスイッチ
anatofuz
0
160

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
94
13k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
13
680
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.1k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
13
1.4k
Why You Should Never Use an ORM
jnunemaker
PRO
55
9.3k
Scaling GitHub
holman
459
140k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
5
520
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
52
2.4k
Statistics for Hackers
jakevdp
798
220k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k

Transcript

  1. JSON Web Tokens DAMIR SVRTAN

  2. 01 JSON API AUTHENTICATION

  3. CLIENT SERVER [email protected]&PASSWORD=PASS123 ACCESS_TOKEN=RAND0M$TR1N6

  4. CLIENT SERVER ARTICLES?ACCESS_TOKEN=RAND0M$TR1N6

  5. 02 SINGLE ACCESS TOKEN PER USER

  6. id email password auth_token 1 [email protected] $2a$10$5FkD.. 23ZS921a USERS TABLE

  7. GENERATE A RANDOM AUTH TOKEN class User before_save :generate_auth_token def

    generate_auth_token loop do self.auth_token = Devise.friendly_token break if User.find_by_auth_token(auth_token).nil? end end end

  8. PROBLEMS WITH THE SINGLE ACCESS TOKEN APPROACH

  9. STORING IT IN PLAIN TEXT

  10. Is it the same as storing passwords in plain text?

    ALMOST.

  11. Passwords • when compromised are difficult to change • reveal

    information about people who created them • people use them across several services

  12. Authentication Tokens • auto-generated, random, unique (not shared across multiple

    services). • when compromised can be renewed easily with little user inconvenience

  13. NAIVE IMPLEMENTATIONS NEVER EXPIRE THEM

  14. 03 SINGLE HASHED ACCESS TOKEN PER USER

  15. NOT STORING IT IN PLAIN TEXT

  16. PROBLEMS WITH THE SINGLE HASHED ACCESS TOKEN APPROACH

  17. BROWSER SERVER EM AIL=DAM IR@ EXAM PLE.COM &PASSW ORD=PASS123 ACCESS_TOKEN=RAND0M

    $TR1N6 EM AIL=DAM IR@ EXAM PLE.COM &PASSW ORD=PASS123 MOBILE ACCESS_TOKEN=ANOTHER-RAND0M $TR1N6

  18. 04 MULTIPLE HASHED ACCESS TOKENS PER USER

  19. MAINTAINING A SEPARATE TABLE OF ACCESS TOKENS

  20. COMPLICATING TOO MUCH..

  21. ROLLING YOUR OWN AUTHENTICATION SYSTEM

  22. 01 WHO ARE WE?

  23. WHY DON’T WE TRY TO DO THE SAME THING AS

    RAILS APPS REGULARLY DO?

  24. 05 RAILS SESSION STORAGE

  25. session[:user_id] = current_user.id

  26. CLIENT SERVER [email protected]&PASSWORD=PASS123 SET-COOKIE: PRODUCTIVE_SESSION=23OFSKL932RDASDAFSFJ23

  27. User.find(session[:user_id])

  28. STATELESS

  29. WE COULD DO SOMETHING SIMILAR… …OR FOLLOW AN INDUSTRY STANDARD

  30. 06 JSON WEB TOKENS

  31. JSON Web Tokens are an open, industry standard method for

    representing claims securely between two parties.

  32. CLIENT SERVER [email protected]&PASSWORD=PASS123 ACCESS_TOKEN=33WE.DAS3Q.ADAS

  33. TO THE API CONSUMER IT CAN LOOK RANDOM.. BUT IT’S

    MUCH MORE

  34. IT STORES INFORMATION INSIDE OF IT.

  35. None

  36. 07 JWT STRUCTURE

  37. ABASASD.U93RJADSF.ASASD

  38. HEADER.PAYLOAD.SIGNATURE

  39. { "typ": "JWT", "alg": "HS256" } HEADER

  40. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 BASE64 ENCODED HEADER

  41. { "iss": "infinum.co", "exp": 1300819380, "name": "Kolega Frend", "user_id": 231

    } BODY

  42. iss: The issuer of the token sub: The subject of

    the token aud: The audience of the token exp: This will define the expiration in NumericDate value. nbf: Defines the time before which the JWT MUST NOT be accepted for processing iat: The time the JWT was issued. Can be used to determine the age of the JWT BODY CLAIMS

  43. eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE BASE64 ENCODED BODY

  44. encoded_string = Base64.encode64(header) + "." + Base64.encode64(payload); OpenSSL::HMAC.hexdigest( OpenSSL::Digest.new(‘sha256'), Rails.application.secrets.secret_key_base,

    encoded_string ) GENERATE A SIGNATURE

  45. SIGNATURE 03f329983b86f7d9a9f5fef85305880101d

  46. JSON WEB TOKEN eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE. 03f329983b86f7d9a9f5fef85305880101d

  47. THEY CARRY INFORMATION INSIDE OF THEMSELVES JUST LIKE RAILS SESSIONS

    DO

  48. 08 JWT AND RAILS SESSION DIFFERENCES

  49. RAILS SESSIONS ARE ENCRYPTED JWT’S ARE SIGNED

  50. RAILS SESSIONS CAN’T BE READ ON THE CLIENT SIDE JWT’S

    CAN BE READ ON THE CLIENT SIDE

  51. SECRET INFORMATION IN JWT’S MUST BE EXPLICITLY ENCRYPTED

  52. 09 JWT ADVANTAGES

  53. SAFELY SHARE DATA WITH THE CLIENT APP

  54. NOT REINVENTING THE WHEEL - USING AN INDUSTRY STANDARD.

  55. PERSISTENCE LAYER AGNOSTIC - SINCE YOU DON’T PERSIST IT! ACTIVERECORD/SEQUEL/MONGODB/NEO4J

  56. AUTOMATIC TIME-BASED EXPIRATION HANDLING

  57. NO SESSION LOOKUP

  58. SINGLE-SIGN-ON ACROSS MULTIPLE APPLICATIONS WITH UUIDS

  59. MACHINE-TO-MACHINE INFORMATION SHARING

  60. 09 JWT DISADVANTAGES

  61. NO LOGOUTS

  62. HARDER TOKEN REVOCATION

  63. 10 JWT REVOCATION

  64. FLAG A USER AS DISABLED

  65. DISABLE TOKENS WITH AN IAT CLAIM OLDER THAN 14.09.2016

  66. INSERT AN USERS ENCRYPTED PASSWORD HASH INTO THE PAYLOAD

  67. 10 STORING TOKENS ON THE FRONTEND

  68. LOCALSTORAGE XSS

  69. COOKIES XSS + CSRF

  70. None

  71. HTTP ONLY COOKIE CSRF

  72. 11 RAILS IMPLEMENTATIONS

  73. None

  74. 12 DEBUG JSON WEB TOKENS

  75. None