Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tackling Authentication with Phoenix

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

98195776df79590269541395c699f816?s=128

João Moura

March 03, 2017
Tweet

Transcript

  1. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  2. https://www.entrepreneur.com/article/242208

  3. 90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208
  4. 90% FREAKING

  5. 65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  6. None
  7. 初⼼心

  8. BEGGINERS mind

  9. None
  10. None
  11. BEGGINERS mind

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None
  20. https://www.entrepreneur.com/article/242208

  21. 200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208
  22. João M. D. Moura Senior Engineer at Packlane @joaomdmoura

  23. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  24. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY

  25. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

  26. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO
  27. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO MICRO SERVICE
  28. AUTHENTICATION AUTHORIZATION X

  29. AUTHENTICATION

  30. SOMETHING YOU KNOW

  31. SOMETHING YOU KNOW

  32. COHERENCE COHERENCE COHERENCE

  33. mix coherence.install --full

  34. ÜBERAUTH ÜBERAUTH ÜBERAUTH

  35. REQUEST

  36. CALLBACK

  37. CALLBACK STRATEGIES }

  38. }

  39. }

  40. a.k.a. magic login links SOMETHING YOU HAVE

  41. a.k.a. magic login links SOMETHING YOU HAVE

  42. POT POT POT

  43. Secret + Time = 123456

  44. secret = "S3CR3T" token = :pot.totp(secret)

  45. secret = "S3CR3T" token = "123456" is_valid = :pot.valid_totp(token, secret)

  46. MULTI-FACTOR authentication

  47. MULTI-FACTOR authentication …or getting away with a shitty password

  48. MULTI-FACTOR authentication …or getting away with a shitty password

  49. AUTHORIZATION

  50. None
  51. None
  52. None
  53. knock knock client server

  54. None
  55. who's there? client server

  56. None
  57. Me. client server

  58. None
  59. ktkx. client server

  60. SESSION COOKIES +

  61. HTTP STATELESS

  62. None
  63. client

  64. client server

  65. client server knock knock. BTW it’s me. ktkx.

  66. JSON Web Tokens JWT

  67. HEADER.PAYLOAD.SIGNATURE

  68. HEADER PAYLOAD SIGNATURE } } }

  69. HEADER PAYLOAD SIGNATURE } } }

  70. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  71. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}
  72. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  73. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  74. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  75. HTTP HEADERS

  76. Authorization: Bearer <token>

  77. client server

  78. POST user/login client server

  79. POST user/login creates JWT Token client server

  80. HEADER PAYLOAD SIGNATURE } } }

  81. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  82. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}
  83. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  84. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  85. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  86. POST user/login creates JWT Token client server

  87. POST user/login creates JWT Token return JWT to browser client

    server
  88. POST user/login creates JWT Token return JWT to browser send

    JWT as Header client server
  89. POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server
  90. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  91. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  92. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  93. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET

  94. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  95. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  96. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature
  97. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client
  98. GUARD GUARD GUARD

  99. Guardian.Plug.sign_in(conn, user)

  100. def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end
  101. pipeline :browser_auth do plug Guardian.Plug.VerifySession plug Guardian.Plug.LoadResource end

  102. scope "/", MyApp do pipe_through [:browser, :browser_auth] get ”/home”, HomeController,

    :homepage end
  103. WRAP UP

  104. 1.We have a password problem

  105. 2.We should start embracing multi-factor authentication

  106. 3.Stateless auth is a thing. JWT is worth checking.

  107. 4. There are great auth libs around elixir!

  108. None
  109. None
  110. https://github.com/joaomdmoura/keeper

  111. None
  112. None
  113. None
  114. None
  115. joaomdmoura.com Learn Elixir with a Rubyist

  116. João M. D. Moura Senior Engineer at Packlane joaomdmoura.com