Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JSON Web Tokens - PHP Antwerp

JSON Web Tokens - PHP Antwerp

Jens Segers

August 31, 2017
Tweet

More Decks by Jens Segers

Other Decks in Programming

Transcript

  1. GITHUB PACKAGES • jenssegers/op+mus - ID obfusca+on • jenssegers/agent -

    User agent parsing, mobile & bot detec+on • jenssegers/date - Localized dates • jenssegers/imagehash - Perceptual image hashes
  2. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi>ng informa@on between par@es as a JSON object
  3. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object
  4. SIGNATURE PURPOSE • Signatures are calculated using symmetric or asymmetric

    cryptography. • It provides proof of authen'city and integrity for the JWT data.
  5. SYMMETRIC SIGNATURES (HMAC) • Both par*es share a secret key

    • The sender calculates the signature using the secret key • The receiver re-calculates the signature and compares it with the received signature
  6. ASYMMETRIC SIGNATURES (RSA) • The sender shares his public key

    with the receiver • The sender calculates the signature by hashing the data and encryp7ng it with his private key • The receiver validates the signature by decryp7ng the signature with the public key of the sender and compare the hash
  7. SIGNATURE PURPOSE • Authen'city: Only par+es with the secret key

    can generate a valid signature • Integrity: You can't change the JWT data without regenera+ng a new signature • No secrecy! Alterna+ve: JSON Web Encryp+on (JWE)
  8. JWT, WHAT? JSON Web Token is an open standard that

    defines a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object
  9. INFORMATION EXCHANGE POST /transfer { "to": "171RaSzy9GYHCA8TuLYN5mwTWs3nnARfMZ", "amount": 1, "currency":

    "BTC" } POST /transfer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0byI6IjE3MVJhU3p5OUdZSENBOFR1TFlONW13VFdzM25uQVJmTVoiLCJhbW91bnQiOjF9. MW_K5DZTYCJADOp9ArTKIwB8m4knAG-Pdv_V9xXId2I
  10. STATEFUL AUTHENTICATION 1. User submits creden0als 2. Server generate a

    unique session id 3. Session informa0on is stored server side 4. Responds with cookie containing session id 5. On every request the session and user data is fetched from the database/redis
  11. STATEFUL AUTHENTICATION • Cookies are bad for caching • Cookies

    are bad for CORS • Servers need a shared session storage • Servers needs to query the storage to verify and get user/session informa<on
  12. STATELESS AUTHENTICATION WITH JWT 1. User submits creden0als 2. Server

    response with a JWT iden0fying the user 3. On every request the client sends the received JWT in the Authoriza0on header 4. The server verifies the JWT by checking the signature
  13. OAUTH2 AND JWT JWT access tokens containing user iden2fier and

    scopes. { "iss": "teamleader", "sub": "423523:534534", "exp": 1483711650, "iat": 1483708050, "scopes": ["companies", "contacts"] }
  14. ADVANTAGES • No need for an access token table •

    No database calls to validate the access token, get the user id, scopes, ... • Possibility to have shared tokens across mul<ple micro-services • The client can check if the token is expired
  15. DISADVANTAGES • Access tokens can't easily be revoked, unless you

    keep a list of tokens to revoke • Best prac9ce to have short TTL • The more embedded data, the bigger the JWT. No fixed size. • Not encrypted, unless you use JWE • Token data can go stale
  16. MIDDLEWARE EXAMPLE $token = $this->getBearerTokenFromRequest($request); $jwt = (new \Lcobucci\JWT\Parser())->parse($token); if

    (!$jwt->verify(new \Lcobucci\JWT\Signer\Hmac\Sha256(), 'secret')) { throw new BadRequestException('Invalid token'); } $identifier = $jwt->getClaim('sub'); $scopes = $jwt->getClaim('scopes');
  17. JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed

    (league/oauth2-server) • Separated OAuth2 micro-service, accept access tokens across micro-services API's • Marketplace shares user informaGon between frond/back-end using a JWT