Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens in a microservice architecture (PHPBenelux)

Jens Segers
January 20, 2018

JSON Web Tokens in a microservice architecture (PHPBenelux)

In this talk I'll introduce you to JSON Web Tokens (JWT) and how they might change your view on securely transmitting data bewteen services. We'll take a look on what's inside of a JSON Web Token, what makes them secure and how you can use them in a microservice architecture,

Jens Segers

January 20, 2018
Tweet

More Decks by Jens Segers

Other Decks in Technology

Transcript

  1. JSON WEB TOKENS
    JENS SEGERS

    View full-size slide

  2. GITHUB PACKAGES
    • jenssegers/op+mus - ID obfusca+on
    • jenssegers/agent - User agent parsing, mobile & bot detec+on
    • jenssegers/date - Localized dates
    • jenssegers/imagehash - Perceptual image hashes

    View full-size slide

  3. JSON WEB TOKENS
    AKA. JWT

    View full-size slide

  4. JSON WEB TOKENS
    AKA. JWT
    AKA. JOT?

    View full-size slide

  5. JWT, WHAT?
    JSON Web Token is an open standard that defines a compact and
    self-contained way for securely transmi>ng informa@on between
    par@es as a JSON object

    View full-size slide

  6. JWT, WHAT?
    JSON Web Token is an open standard that defines a compact and
    self-contained way for securely transmi.ng informa2on between
    par2es as a JSON object

    View full-size slide

  7. JWT EXAMPLE
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

    View full-size slide

  8. JWT EXAMPLE
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    1. Header
    2. Payload
    3. Signature

    View full-size slide

  9. HEADER
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    {
    "alg": "HS256",
    "typ": "JWT"
    }

    View full-size slide

  10. PAYLOAD (CLAIMS)
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    {
    "iss": "acme.com"
    "sub": "1234567890",
    "exp": 1483711650,
    "name": "John Doe",
    "admin": true
    }

    View full-size slide

  11. SIGNATURE
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    hash_hmac(
    'sha256',
    base64_encode(header).'.'.base64_decode(payload),
    'secret-passphrase'
    )

    View full-size slide

  12. SIGNATURE
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
    openssl_sign(
    base64_encode(header).'.'.base64_decode(payload),
    $signature,
    openssl_pkey_get_private('file://key.pem'),
    OPENSSL_ALGO_SHA256
    )

    View full-size slide

  13. SIGNATURE PURPOSE
    It provides proof of authen'city and integrity for the JWT data.

    View full-size slide

  14. CRYPTOGRAPHY 101

    View full-size slide

  15. SYMMETRIC SIGNATURES
    • All par(es involved share a secret key
    • The sender calculates the signature using the secret key
    • The receiver re-calculates the signature and compares it with the
    received signature

    View full-size slide

  16. ASYMMETRIC SIGNATURES
    • The sender shares his public key with the receiver
    • The sender calculates the signature by hashing the data and
    encryp7ng it with his private key
    • The receiver validates the signature by decryp7ng the signature
    with the public key and compares the result with the original
    message

    View full-size slide

  17. SIGNATURE RECAP
    • Authen'city: Only trusted par0es can generate and verify
    signatures
    • Integrity: You can't change the JWT data without regenera0ng a
    new signature
    • No secrecy! Alterna0ve: JSON Web Encryp0on (JWE)

    View full-size slide

  18. JWT, WHAT?
    JSON Web Token is an open standard that defines a compact and
    self-contained way for securely transmi.ng informa2on between
    par2es as a JSON object

    View full-size slide

  19. INFORMATION EXCHANGE

    View full-size slide

  20. INFORMATION EXCHANGE
    POST /transfer
    {
    "to": "171RaSzy9GYHCA8TuLYN5mwTWs3nnARfMZ",
    "amount": 1,
    "currency": "BTC"
    }
    POST /transfer
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJ0byI6IjE3MVJhU3p5OUdZSENBOFR1TFlONW13VFdzM25uQVJmTVoiLCJhbW91bnQiOjF9.
    MW_K5DZTYCJADOp9ArTKIwB8m4knAG-Pdv_V9xXId2I

    View full-size slide

  21. TEMPORARY LINKS
    public.acme.com/mQsh79zqGb9pxGz2...

    View full-size slide

  22. TEMPORARY LINKS
    {
    "sub": 1234567890,
    "exp": 1483711650,
    "version": 1
    }
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
    eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ.
    NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc

    View full-size slide

  23. STATELESS AUTHENTICATION

    View full-size slide

  24. BUT FIRST ...
    WHAT IS STATEFUL AUTHENTICATION?

    View full-size slide

  25. STATEFUL AUTHENTICATION
    1. User submits creden0als
    2. Server generate a unique session id
    3. Session informa0on is stored server side
    4. Responds with cookie containing session id
    5. On every request the session and user data is fetched from the
    database/redis

    View full-size slide

  26. STATEFUL AUTHENTICATION
    • Cookies are bad for caching
    • Cookies are bad for CORS
    • Servers need a shared session storage
    • Servers needs to query the storage to verify and get user/session
    informa

    View full-size slide

  27. STATELESS AUTHENTICATION
    WITH JWT

    View full-size slide

  28. STATELESS AUTHENTICATION WITH JWT
    1. User submits creden0als
    2. (Authen0ca0on) Server response with a JWT iden0fying the user
    3. On every request the client sends the received JWT in the
    Authoriza0on header
    4. The server verifies the JWT by checking the signature

    View full-size slide

  29. OAUTH2 AND JWT
    JWT access tokens containing user iden2fier and scopes.
    {
    "iss": "teamleader",
    "sub": "423523:534534",
    "exp": 1483711650,
    "iat": 1483708050,
    "scopes": ["companies", "contacts"]
    }

    View full-size slide

  30. ADVANTAGES
    • No need for an access token table
    • The client can check if the token is expired
    • No database calls to validate the access token, get the user id,
    scopes, ...
    • Possibility to have shared tokens across mul>ple micro-services

    View full-size slide

  31. DISADVANTAGES
    • Access tokens can't easily be revoked, unless you keep a list of
    tokens to revoke
    • Best prac9ce to have short TTL
    • The more embedded data, the bigger the JWT. No fixed size.
    • Not encrypted, unless you use JWE
    • Token data can go stale

    View full-size slide

  32. PHP PACKAGES
    • league/oauth2-server
    • lcobucci/jwt
    • firebase/php-jwt

    View full-size slide

  33. MIDDLEWARE EXAMPLE
    $token = $this->getBearerTokenFromRequest($request);
    $jwt = (new \Lcobucci\JWT\Parser())->parse($token);
    if (!$jwt->verify(new \Lcobucci\JWT\Signer\Hmac\Sha256(), 'secret')) {
    throw new BadRequestException('Invalid token');
    }
    $identifier = $jwt->getClaim('sub');
    $scopes = $jwt->getClaim('scopes');

    View full-size slide

  34. JWT AT TEAMLEADER
    • JWT OAuth2 access tokens, RSA signed (league/oauth2-server)
    • Separated OAuth2 micro-service, accept access tokens across
    micro-services API's
    • Temporary access links
    • Store JWT data in cookie for some small micro-services

    View full-size slide