REST Authentication with JWT

Transcript

1. REST Authen,ca,on with JWT { REST Authen-ca-on with JWT }

   - @ianaya89 1

2. ! Nacho Anaya @ianaya89 • Full Stack Developer, Tech Trainer

   & Speaker • Ambassador @Auth0 • Organizer @Vuenos_Aires { REST Authen-ca-on with JWT } - @ianaya89 2

3. { REST Authen-ca-on with JWT } - @ianaya89 3

4. ! Why token authen,ca,on? { REST Authen-ca-on with JWT }

   - @ianaya89 4

5. ! Why token authen,ca,on? > Stateless { REST Authen-ca-on with

   JWT } - @ianaya89 5

6. ! Why token authen,ca,on? > Decoupled { REST Authen-ca-on with

   JWT } - @ianaya89 6

7. ! Why token authen,ca,on? > Scalable { REST Authen-ca-on with

   JWT } - @ianaya89 7

8. ! Why JWT? { REST Authen-ca-on with JWT } -

   @ianaya89 8

9. ! Why JWT? > Standard RFC 7519 { REST Authen-ca-on

   with JWT } - @ianaya89 9

10. ! Why JWT? > Self Contained { REST Authen-ca-on with

    JWT } - @ianaya89 10

11. ! Why JWT? > Compact { REST Authen-ca-on with JWT

    } - @ianaya89 11

12. ! Why JWT? > Signed HMAC - RSA - ECDSA

    { REST Authen-ca-on with JWT } - @ianaya89 12

13. ! Why JWT? > JSON { REST Authen-ca-on with JWT

    } - @ianaya89 13

14. ! What is JWT? { REST Authen-ca-on with JWT }

    - @ianaya89 14

15. ! What is JWT? header.payload.signature + Base64 { REST Authen-ca-on

    with JWT } - @ianaya89 15

16. ! What is JWT? { REST Authen-ca-on with JWT }

    - @ianaya89 16

17. ! Header { "alg": "HS256", "typ": "JWT" } { REST

    Authen-ca-on with JWT } - @ianaya89 17

18. ! Payload { "id": "1234567890", "name": "John Doe", "admin": true,

    "iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 18

19. ! Payload { "id": "1234567890", "name": "John Doe", "admin": true,

    "iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 19

20. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 20

21. ✍ Signature const data = base64urlEncode( header ) + '.'

    + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 21

22. { REST Authen-ca-on with JWT } - @ianaya89 22

23. ! When to use it? { REST Authen-ca-on with JWT

    } - @ianaya89 23

24. ! When to use it? > Authen)ca)on > Informa*on Exchange

    { REST Authen-ca-on with JWT } - @ianaya89 24

25. ! Where to use it? { REST Authen-ca-on with JWT

    } - @ianaya89 25

26. ! Where to use it? SPA's - Mobile Serverless -

    IoT { REST Authen-ca-on with JWT } - @ianaya89 26

27. { REST Authen-ca-on with JWT } - @ianaya89 27

28. ! { REST Authen-ca-on with JWT } - @ianaya89 28

29. ! REST API's { REST Authen-ca-on with JWT } -

    @ianaya89 29

30. ! How does it work with REST? { REST Authen-ca-on

    with JWT } - @ianaya89 30

31. { REST Authen-ca-on with JWT } - @ianaya89 31

32. ! How does it work with REST? 1. Sends Creden+als

    POST /login { "user": "ianaya89", "password": "dont-hack-me" } { REST Authen-ca-on with JWT } - @ianaya89 32

33. ! How does it work with REST? 2. Creates JWT

    const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 33

34. ! How does it work with REST? 3. Returns JWT

    const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 34

35. ! How does it work with REST? 4. Gets a

    resource GET /resource Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkiLCJuYW1lIjoiSm9obiBEb2UiLCJhZG1pbiI6ZmFsc2V9. b99O1RrYbHtWJ3MGZXkdADZkmiLm9HNliRccKxMPDuc { REST Authen-ca-on with JWT } - @ianaya89 35

36. ! How does it work with REST? 5. Verifies token

    const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 36

37. ! How does it work with REST? 6. Sends response

    const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 37

38. ! How does it work with REST? 6. Sends response

    const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') if (payload.role !== 'admin') { return res.sendStatus(403) } res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 38

39. ! Which languages are supported? { REST Authen-ca-on with JWT

    } - @ianaya89 39

40. ! Which languages are supported? > "All" of them {

    REST Authen-ca-on with JWT } - @ianaya89 40

41. { REST Authen-ca-on with JWT } - @ianaya89 41

42. ! Is JWT secure? { REST Authen-ca-on with JWT }

    - @ianaya89 42

43. ! { REST Authen-ca-on with JWT } - @ianaya89 43

44. ! Is JWT secure? ! Yes { REST Authen-ca-on with

    JWT } - @ianaya89 44

45. ! Is JWT secure? ! But... { REST Authen-ca-on with

    JWT } - @ianaya89 45

46. { REST Authen-ca-on with JWT } - @ianaya89 46

47. ! Is JWT secure? > Anyone can view the content

    { REST Authen-ca-on with JWT } - @ianaya89 47

48. ! Is JWT secure? > No one can modify it

    { REST Authen-ca-on with JWT } - @ianaya89 48

49. ! Is JWT secure? > JWT is signed not ecnrpyted

    { REST Authen-ca-on with JWT } - @ianaya89 49

50. ! Is JWT secure? > Keep your "secret" secret {

    REST Authen-ca-on with JWT } - @ianaya89 50

51. ! Resources • jwt.io • jwt-handbook • demo-auth-jwt-api { REST

    Authen-ca-on with JWT } - @ianaya89 51

52. ! { REST Authen-ca-on with JWT } - @ianaya89 52

53. ! Thanks! @ianaya89 bit.ly/rest-auth-jwt { REST Authen-ca-on with JWT }

    - @ianaya89 53