Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens

DamirSvrtan
September 14, 2016
Programming
0
160

JSON Web Tokens

A presentation about JSON Web Tokens and all the pros and cons of using them. Also a note on integrating it with Rails.

DamirSvrtan

September 14, 2016
Tweet

More Decks by DamirSvrtan

See All by DamirSvrtan
Designing APIs: Less Data is More
damirsvrtan
1
400
Crossing Domain Boundaries with GraphQL
damirsvrtan
0
94
Surrounded by Microservices
damirsvrtan
2
4.7k
Building Serverless Ruby Bots @ Ruby Conf 2018
damirsvrtan
0
240
Building Serverless Ruby Bots @ Paris.rb Conf 2018
damirsvrtan
1
1.7k
Importing and serving millions of records
damirsvrtan
1
100
Stateless authentication w/ JSON Web Tokens
damirsvrtan
5
250
Building Ruby Bots on AWS Lambda
damirsvrtan
0
880
Reinventing The Bootcamp Idea
damirsvrtan
0
130

Other Decks in Programming

See All in Programming
Node-RED in Industrial IoT
kazuhitoyokoi
0
450
PHP8.2にバージョンアップして もっと型表現を豊かにしよう
akitotsukahara
0
170
WebViewと向き合う
mkeeda
1
160
Rcloneを使った定期的なストレージ同期
yuhta28
0
150
Unleash the Power of Open Source Java Profilers
parttimenerd
0
110
Flutter CustomPaint @Flutter MeetUp(In Songdo) - 박제창
itsmedreamwalker
0
180
理解して導入するWebフレームワーク ~解決すべき課題に着目する~ / Understanding and implementing web frameworks ~focusing on the problems to be solved~
seike460
PRO
3
650
Domain-Driven Design (Tutorial)
hschwentner
13
18k
4 Patterns to Jumpstart your Event-Driven Architecture Journey @ Current 2023, San Jose California
hpgrahsl
0
140
iOSアプリ開発における効果的なUnitTestの戦略とその実装
mot_techtalk
1
200
_アニメーション抜き__MVIに基づくStateMachineアーキテクチャ_KMPとJetpack_ComposeとSwiftUIを組み合わせる.pdf
gmvalentino8
5
660
A sighting of sequence function in Practical FP in Scala
philipschwarz
PRO
0
100

Featured

See All Featured
Building Your Own Lightsaber
phodgson
97
5.2k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Pencils Down: Stop Designing & Start Developing
hursman
115
10k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Building Applications with DynamoDB
mza
87
5.2k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
Typedesign – Prime Four
hannesfritz
35
1.8k
Large-scale JavaScript Application Architecture
addyosmani
501
110k
The Invisible Customer
myddelton
113
12k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.8k
Documentation Writing (for coders)
carmenintech
55
3.3k
Streamline your AJAX requests with AmplifyJS and jQuery
dougneiner
130
9k

Transcript

  1. JSON Web Tokens
    DAMIR SVRTAN

    View Slide

  2. 01
    JSON API AUTHENTICATION

    View Slide

  3. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    ACCESS_TOKEN=RAND0M$TR1N6

    View Slide

  4. CLIENT
    SERVER
    ARTICLES?ACCESS_TOKEN=RAND0M$TR1N6

    View Slide

  5. 02
    SINGLE ACCESS TOKEN PER
    USER

    View Slide

  6. id email password auth_token
    1 [email protected] $2a$10$5FkD.. 23ZS921a
    USERS TABLE

    View Slide

  7. GENERATE A RANDOM AUTH TOKEN
    class User
    before_save :generate_auth_token
    def generate_auth_token
    loop do
    self.auth_token = Devise.friendly_token
    break if User.find_by_auth_token(auth_token).nil?
    end
    end
    end

    View Slide

  8. PROBLEMS WITH THE SINGLE
    ACCESS TOKEN APPROACH

    View Slide

  9. STORING IT IN PLAIN TEXT

    View Slide

  10. Is it the same as storing passwords in plain text?
    ALMOST.

    View Slide

  11. Passwords
    • when compromised are difficult to change
    • reveal information about people who created them
    • people use them across several services

    View Slide

  12. Authentication Tokens
    • auto-generated, random, unique (not shared
    across multiple services).
    • when compromised can be renewed easily with
    little user inconvenience

    View Slide

  13. NAIVE IMPLEMENTATIONS
    NEVER EXPIRE THEM

    View Slide

  14. 03
    SINGLE HASHED ACCESS
    TOKEN PER USER

    View Slide

  15. NOT STORING IT IN PLAIN
    TEXT

    View Slide

  16. PROBLEMS WITH THE SINGLE
    HASHED ACCESS TOKEN
    APPROACH

    View Slide

  17. BROWSER
    SERVER
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    ACCESS_TOKEN=RAND0M
    $TR1N6
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    MOBILE
    ACCESS_TOKEN=ANOTHER-RAND0M
    $TR1N6

    View Slide

  18. 04
    MULTIPLE HASHED ACCESS
    TOKENS PER USER

    View Slide

  19. MAINTAINING A SEPARATE
    TABLE OF ACCESS TOKENS

    View Slide

  20. COMPLICATING TOO
    MUCH..

    View Slide

  21. ROLLING YOUR OWN
    AUTHENTICATION SYSTEM

    View Slide

  22. 01
    WHO ARE WE?

    View Slide

  23. WHY DON’T WE TRY TO DO
    THE SAME THING AS RAILS
    APPS REGULARLY DO?

    View Slide

  24. 05
    RAILS SESSION STORAGE

    View Slide

  25. session[:user_id] = current_user.id

    View Slide

  26. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    SET-COOKIE: PRODUCTIVE_SESSION=23OFSKL932RDASDAFSFJ23

    View Slide

  27. User.find(session[:user_id])

    View Slide

  28. STATELESS

    View Slide

  29. WE COULD DO SOMETHING
    SIMILAR…
    …OR FOLLOW AN INDUSTRY
    STANDARD

    View Slide

  30. 06
    JSON WEB TOKENS

    View Slide

  31. JSON Web Tokens are an open,
    industry standard method for
    representing claims securely between
    two parties.

    View Slide

  32. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    ACCESS_TOKEN=33WE.DAS3Q.ADAS

    View Slide

  33. TO THE API CONSUMER IT
    CAN LOOK RANDOM..
    BUT IT’S MUCH MORE

    View Slide

  34. IT STORES INFORMATION
    INSIDE OF IT.

    View Slide

  35. View Slide

  36. 07
    JWT STRUCTURE

    View Slide

  37. ABASASD.U93RJADSF.ASASD

    View Slide

  38. HEADER.PAYLOAD.SIGNATURE

    View Slide

  39. {
    "typ": "JWT",
    "alg": "HS256"
    }
    HEADER

    View Slide

  40. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
    BASE64 ENCODED HEADER

    View Slide

  41. {
    "iss": "infinum.co",
    "exp": 1300819380,
    "name": "Kolega Frend",
    "user_id": 231
    }
    BODY

    View Slide

  42. iss: The issuer of the token
    sub: The subject of the token
    aud: The audience of the token
    exp: This will define the expiration in NumericDate
    value.
    nbf: Defines the time before which the JWT MUST NOT be
    accepted for processing
    iat: The time the JWT was issued. Can be used to
    determine the age of the JWT
    BODY CLAIMS

    View Slide

  43. eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE
    BASE64 ENCODED BODY

    View Slide

  44. encoded_string = Base64.encode64(header) + "." + Base64.encode64(payload);
    OpenSSL::HMAC.hexdigest(
    OpenSSL::Digest.new(‘sha256'),
    Rails.application.secrets.secret_key_base,
    encoded_string
    )
    GENERATE A SIGNATURE

    View Slide

  45. SIGNATURE
    03f329983b86f7d9a9f5fef85305880101d

    View Slide

  46. JSON WEB TOKEN
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE.
    03f329983b86f7d9a9f5fef85305880101d

    View Slide

  47. THEY CARRY INFORMATION
    INSIDE OF THEMSELVES JUST
    LIKE RAILS SESSIONS DO

    View Slide

  48. 08
    JWT AND RAILS SESSION
    DIFFERENCES

    View Slide

  49. RAILS SESSIONS ARE
    ENCRYPTED
    JWT’S ARE SIGNED

    View Slide

  50. RAILS SESSIONS CAN’T BE
    READ ON THE CLIENT SIDE
    JWT’S CAN BE READ ON THE
    CLIENT SIDE

    View Slide

  51. SECRET INFORMATION IN
    JWT’S MUST BE EXPLICITLY
    ENCRYPTED

    View Slide

  52. 09
    JWT ADVANTAGES

    View Slide

  53. SAFELY SHARE DATA WITH
    THE CLIENT APP

    View Slide

  54. NOT REINVENTING THE
    WHEEL - USING AN
    INDUSTRY STANDARD.

    View Slide

  55. PERSISTENCE LAYER
    AGNOSTIC - SINCE YOU
    DON’T PERSIST IT!
    ACTIVERECORD/SEQUEL/MONGODB/NEO4J

    View Slide

  56. AUTOMATIC TIME-BASED
    EXPIRATION HANDLING

    View Slide

  57. NO SESSION LOOKUP

    View Slide

  58. SINGLE-SIGN-ON ACROSS
    MULTIPLE APPLICATIONS
    WITH UUIDS

    View Slide

  59. MACHINE-TO-MACHINE
    INFORMATION SHARING

    View Slide

  60. 09
    JWT DISADVANTAGES

    View Slide

  61. NO LOGOUTS

    View Slide

  62. HARDER TOKEN REVOCATION

    View Slide

  63. 10
    JWT REVOCATION

    View Slide

  64. FLAG A USER AS DISABLED

    View Slide

  65. DISABLE TOKENS WITH AN
    IAT CLAIM OLDER THAN
    14.09.2016

    View Slide

  66. INSERT AN USERS
    ENCRYPTED PASSWORD HASH
    INTO THE PAYLOAD

    View Slide

  67. 10
    STORING TOKENS ON THE
    FRONTEND

    View Slide

  68. LOCALSTORAGE
    XSS

    View Slide

  69. COOKIES
    XSS + CSRF

    View Slide

  70. View Slide

  71. HTTP ONLY COOKIE
    CSRF

    View Slide

  72. 11
    RAILS IMPLEMENTATIONS

    View Slide

  73. View Slide

  74. 12
    DEBUG JSON WEB TOKENS

    View Slide

  75. View Slide