REST Authentication with JWT

REST Authen,ca,on with JWT { REST Authen-ca-on with JWT }
- @ianaya89 1

! Nacho Anaya @ianaya89 • Full Stack Developer, Tech Trainer
& Speaker • Ambassador @Auth0 • Organizer @Vuenos_Aires { REST Authen-ca-on with JWT } - @ianaya89 2

{ REST Authen-ca-on with JWT } - @ianaya89 3

! Why token authen,ca,on? { REST Authen-ca-on with JWT }
- @ianaya89 4

! Why token authen,ca,on? > Stateless { REST Authen-ca-on with
JWT } - @ianaya89 5

! Why token authen,ca,on? > Decoupled { REST Authen-ca-on with
JWT } - @ianaya89 6

! Why token authen,ca,on? > Scalable { REST Authen-ca-on with
JWT } - @ianaya89 7

! Why JWT? { REST Authen-ca-on with JWT } -
@ianaya89 8

! Why JWT? > Standard RFC 7519 { REST Authen-ca-on
with JWT } - @ianaya89 9

! Why JWT? > Self Contained { REST Authen-ca-on with
JWT } - @ianaya89 10

! Why JWT? > Compact { REST Authen-ca-on with JWT
} - @ianaya89 11

! Why JWT? > Signed HMAC - RSA - ECDSA

! Why JWT? > JSON { REST Authen-ca-on with JWT
} - @ianaya89 13

! What is JWT? { REST Authen-ca-on with JWT }
- @ianaya89 14

! What is JWT? header.payload.signature + Base64 { REST Authen-ca-on

! What is JWT? { REST Authen-ca-on with JWT }
- @ianaya89 16

! Header { "alg": "HS256", "typ": "JWT" } { REST
Authen-ca-on with JWT } - @ianaya89 17

! Payload { "id": "1234567890", "name": "John Doe", "admin": true,
"iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 18

! Payload { "id": "1234567890", "name": "John Doe", "admin": true,
"iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 19

✍ Signature const data = base64urlEncode( header ) + '.'
+ base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 20

✍ Signature const data = base64urlEncode( header ) + '.'
+ base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 21

! When to use it? { REST Authen-ca-on with JWT
} - @ianaya89 23

! When to use it? > Authen)ca)on > Informa*on Exchange

! Where to use it? { REST Authen-ca-on with JWT
} - @ianaya89 25

! Where to use it? SPA's - Mobile Serverless -
IoT { REST Authen-ca-on with JWT } - @ianaya89 26

! { REST Authen-ca-on with JWT } - @ianaya89 28

! REST API's { REST Authen-ca-on with JWT } -
@ianaya89 29

! How does it work with REST? { REST Authen-ca-on

! How does it work with REST? 1. Sends Creden+als
POST /login { "user": "ianaya89", "password": "dont-hack-me" } { REST Authen-ca-on with JWT } - @ianaya89 32

! How does it work with REST? 2. Creates JWT
const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 33

! How does it work with REST? 3. Returns JWT
const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 34

! How does it work with REST? 4. Gets a
resource GET /resource Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkiLCJuYW1lIjoiSm9obiBEb2UiLCJhZG1pbiI6ZmFsc2V9. b99O1RrYbHtWJ3MGZXkdADZkmiLm9HNliRccKxMPDuc { REST Authen-ca-on with JWT } - @ianaya89 35

! How does it work with REST? 5. Veriﬁes token
const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 36

! How does it work with REST? 6. Sends response
const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 37

! How does it work with REST? 6. Sends response
const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') if (payload.role !== 'admin') { return res.sendStatus(403) } res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 38

! Which languages are supported? { REST Authen-ca-on with JWT
} - @ianaya89 39

! Which languages are supported? > "All" of them {
REST Authen-ca-on with JWT } - @ianaya89 40

! Is JWT secure? { REST Authen-ca-on with JWT }
- @ianaya89 42

! Is JWT secure? ! Yes { REST Authen-ca-on with

! Is JWT secure? ! But... { REST Authen-ca-on with

! Is JWT secure? > Anyone can view the content

! Is JWT secure? > No one can modify it

! Is JWT secure? > JWT is signed not ecnrpyted

! Is JWT secure? > Keep your "secret" secret {
REST Authen-ca-on with JWT } - @ianaya89 50

! Resources • jwt.io • jwt-handbook • demo-auth-jwt-api { REST
Authen-ca-on with JWT } - @ianaya89 51

! Thanks! @ianaya89 bit.ly/rest-auth-jwt { REST Authen-ca-on with JWT }
- @ianaya89 53

REST Authentication with JWT

REST Authentication with JWT

More Decks by Ignacio Anaya

Other Decks in Programming

Featured

Transcript