Tackling Authentication with Phoenix

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

98195776df79590269541395c699f816?s=128

João Moura

March 03, 2017
Tweet

Transcript

  1. 3.

    90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208
  2. 5.

    65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  3. 6.
  4. 9.
  5. 10.
  6. 12.
  7. 13.
  8. 14.
  9. 15.
  10. 16.
  11. 17.
  12. 18.
  13. 19.
  14. 21.

    200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208
  15. 35.
  16. 36.
  17. 38.

    }

  18. 39.

    }

  19. 50.
  20. 51.
  21. 52.
  22. 54.
  23. 56.
  24. 58.
  25. 62.
  26. 63.
  27. 71.

    HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}
  28. 72.

    HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  29. 82.

    HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}
  30. 83.

    HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  31. 84.

    HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  32. 89.

    POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server
  33. 96.

    client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature
  34. 97.

    client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client
  35. 100.

    def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end
  36. 103.
  37. 108.
  38. 109.
  39. 111.
  40. 112.
  41. 113.
  42. 114.