Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Stateless authentication w/ JSON Web Tokens

Stateless authentication w/ JSON Web Tokens

DamirSvrtan

October 06, 2017
Tweet

More Decks by DamirSvrtan

Other Decks in Programming

Transcript

  1. Authentication with
    JSON Web Tokens

    View full-size slide

  2. 01
    API AUTHENTICATION

    View full-size slide

  3. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    AUTH_TOKEN=RAND0M$TR1N6

    View full-size slide

  4. CLIENT
    SERVER
    ARTICLES?AUTH_TOKEN=RAND0M$TR1N6

    View full-size slide

  5. 02
    SINGLE AUTH TOKEN PER
    USER

    View full-size slide

  6. id email password_digest auth_token
    1 [email protected] $2a$10$5FkD.. 23ZS921a
    USERS TABLE

    View full-size slide

  7. GENERATE A RANDOM AUTH TOKEN
    class User
    before_save :generate_auth_token
    def generate_auth_token
    loop do
    self.auth_token = Devise.friendly_token
    break if User.find_by_auth_token(auth_token).nil?
    end
    end
    end

    View full-size slide

  8. PROBLEMS WITH THE SINGLE
    AUTH TOKEN APPROACH

    View full-size slide

  9. NAIVE IMPLEMENTATIONS NEVER EXPIRE THEM

    View full-size slide

  10. STORING IT IN PLAIN TEXT

    View full-size slide

  11. ISN’T THAT THE SAME AS
    STORING PASSWORDS IN
    PLAIN TEXT?

    View full-size slide

  12. • difficult to change
    • used across several services
    PASSWORDS

    View full-size slide

  13. • easy to change
    • auto-generated, random, unique
    • not used across several services
    AUTH TOKENS

    View full-size slide

  14. 03
    SINGLE HASHED AUTH TOKEN
    PER USER

    View full-size slide

  15. NOT STORING IT IN PLAIN
    TEXT

    View full-size slide

  16. BROWSER
    SERVER
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    AUTH_TOKEN=RAND0M
    $TR1N6
    EM
    AIL=DAM
    IR@
    EXAM
    PLE.COM
    &PASSW
    ORD=PASS123
    MOBILE
    AUTH_TOKEN=ANOTHER-RAND0M
    $TR1N6

    View full-size slide

  17. 04
    MULTIPLE HASHED AUTH
    TOKENS PER USER

    View full-size slide

  18. user_id token_digest
    1 $2a$10$5FkD..
    2 $3R$D9S21$..
    1 $23$2sBPSA..
    AUTH TOKENS TABLE

    View full-size slide

  19. ERASE TOKENS PERIODICALLY

    View full-size slide

  20. 0Rel
    STORE TOKENS NOWHERE
    WHAT IF WE
    DIDN’T STORE
    THEM ANYWHERE?

    View full-size slide

  21. LET’S DO
    SOMETHING
    SIMILAR TO RAILS
    SESSIONS!

    View full-size slide

  22. 05
    RAILS SESSION STORAGE

    View full-size slide

  23. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    SET-COOKIE: APP_SESSION=23OFSKL932RDASDAFSFJ23

    View full-size slide

  24. session[:user_id] = current_user.id

    View full-size slide

  25. sign(encrypt(hash))

    View full-size slide

  26. CLIENT
    SERVER
    APP_SESSION=23OFSKL932RDASDAFSFJ23

    View full-size slide

  27. decrypt(verify_signature(cookie))

    View full-size slide

  28. User.find(session[:user_id])

    View full-size slide

  29. WE COULD DO
    SOMETHING SIMILAR…
    … OR FOLLOW AN OPEN
    STANDARD

    View full-size slide

  30. 06
    JSON WEB TOKENS

    View full-size slide

  31. JSON Web Tokens are an open standard that
    defines a compact and self-contained way to
    securely share information between parties
    as a JSON Object.

    View full-size slide

  32. CLIENT
    SERVER
    [email protected]&PASSWORD=PASS123
    AUTH_TOKEN=33WE.DAS3Q.ADAS

    View full-size slide

  33. TO THE API CONSUMER IT CAN LOOK
    RANDOM..

    View full-size slide

  34. ..BUT IT’S MUCH MORE

    View full-size slide

  35. IT STORES INFORMATION
    INSIDE OF IT.

    View full-size slide

  36. DATA + SIGNATURE

    View full-size slide

  37. DATA + SIGNATURE
    data = { "user_id": 231 }
    token = data + sign(data)

    View full-size slide

  38. ABASASD.U93RJADSF.ASASD

    View full-size slide

  39. ABASASD.U93RJADSF.ASASD
    HEADER.PAYLOAD.SIGNATURE

    View full-size slide

  40. THE JWT HEADER

    View full-size slide

  41. {
    "typ": "JWT",
    "alg": "HS256"
    }
    HEADER

    View full-size slide

  42. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
    BASE64 ENCODED HEADER

    View full-size slide

  43. THE JWT BODY

    View full-size slide

  44. {
    “user_id": 231,
    "exp": 1300819380,
    }
    BODY

    View full-size slide

  45. eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE
    BASE64 ENCODED BODY

    View full-size slide

  46. THE JWT SIGNATURE

    View full-size slide

  47. encoded_string = Base64.encode64(header) + "." + Base64.encode64(payload);
    OpenSSL::HMAC.hexdigest(
    OpenSSL::Digest.new(‘sha256'),
    Rails.application.secrets.secret_key_base,
    encoded_string
    )
    GENERATE A SIGNATURE

    View full-size slide

  48. SIGNATURE
    03f329983b86f7d9a9f5fef85305880101d

    View full-size slide

  49. JSON WEB TOKEN
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e
    yJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE.
    03f329983b86f7d9a9f5fef85305880101d

    View full-size slide

  50. iss: The issuer of the token
    sub: The subject of the token
    exp: This will define the expiration in NumericDate value.
    nbf: Defines the time before which the JWT MUST NOT be accepted for
    processing
    iat: The time the JWT was issued. Can be used to determine the age of the JWT
    BODY CLAIMS

    View full-size slide

  51. 08
    JWT <> RAILS SESSIONS

    View full-size slide

  52. RAILS SESSIONS ARE
    ENCRYPTED
    JWT’S ARE SIGNED

    View full-size slide

  53. RAILS SESSIONS CAN’T BE
    READ ON THE CLIENT SIDE
    JWT’S CAN BE READ ON THE
    CLIENT SIDE

    View full-size slide

  54. SECRET INFORMATION IN
    JWT’S MUST BE EXPLICITLY
    ENCRYPTED

    View full-size slide

  55. 09
    STATELESS AUTH

    View full-size slide

  56. { “user_id": 231 }
    BODY

    View full-size slide

  57. FORCE LOGOUT
    /
    ACCOUNT HIJACKING

    View full-size slide

  58. 10
    REVOCATION

    View full-size slide

  59. HOW DOES DEVISE HANDLE
    THIS?

    View full-size slide

  60. INSERT A PART OF THE USERS
    PASSWORD HASH INTO THE
    PAYLOAD

    View full-size slide

  61. SESSION['WARDEN.USER.KEY']
    [[1], "$2A$11$NNJPSD1Q36CG.PSQKPBU/U"]

    View full-size slide

  62. {
    "exp": 1300819380,
    “user_id": 1,
    “pwd_start": $2a$11$nnjPSD1q36Cg.PSqKPBU
    }

    View full-size slide

  63. DISABLE TOKENS WITH AN
    IAT CLAIM OLDER THAN
    6.10.2017

    View full-size slide

  64. {
    “user_id": 231,
    "exp": 1300819380,
    "iat": 1300700011,
    }
    BODY

    View full-size slide

  65. id email password min_issued_at
    1 [email protected] $2a$10$5FkD..
    2017-09-09
    08:59:06.750087

    View full-size slide

  66. JTI
    JSON TOKEN IDENTIFIER

    View full-size slide

  67. {
    "exp": 1300819380,
    "jti": 0A212BXC12,
    }
    BODY

    View full-size slide

  68. id email password jti
    1 [email protected] $2a$10$5FkD.. DSAY039R21S

    View full-size slide

  69. LOGOUTS DON’T INVALIDATE
    TOKENS

    View full-size slide

  70. 10
    JWT ADVANTAGES

    View full-size slide

  71. SAFELY SHARE DATA WITH
    THE CLIENT APP

    View full-size slide

  72. {
    “user_id": 231,
    "admin": true,
    “permissions”: [‘read’, ‘write’]
    }

    View full-size slide

  73. SELF CONTAINED TIME-BASED
    EXPIRATION HANDLING

    View full-size slide

  74. MICROSERVICES
    INFORMATION SHARING

    View full-size slide

  75. NOT REINVENTING THE
    WHEEL - USING AN OPEN
    STANDARD.

    View full-size slide

  76. LANGUAGE SUPPORT

    View full-size slide

  77. JWT.IO
    RUBY, ELIXIR, GO, PYTHON, JAVA, RUST..

    View full-size slide

  78. 11
    RAILS IMPLEMENTATIONS

    View full-size slide

  79. SCALABILITY.
    SIMPLICITY.
    STANDARDIZATION.

    View full-size slide

  80. ALWAYS
    IMPLEMENT A
    REVOCATION
    TECHNIQUE

    View full-size slide

  81. NO SILVER BULLET.

    View full-size slide

  82. Damir Svrtan
    Rails Team Lead @ infinum.co
    Organizer @ Ruby Zagreb
    Hit me up on twitter @DamirSvrtan

    View full-size slide