Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tackling Authentication with Phoenix

João Moura
March 03, 2017
Programming
2
430

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

João Moura

March 03, 2017
Tweet

More Decks by João Moura

See All by João Moura
State Machines in Elixir
joaomdmoura
0
290
Spreading my love for Elixir and State Machines
joaomdmoura
0
44
Unboxing Data Science (Short Verison)
joaomdmoura
0
76
Elixir a Language for the Future
joaomdmoura
0
83
Desenvolvendo Produtos além das Metodologias Ágeis
joaomdmoura
1
54
Graph Theory Behind Immutable JS
joaomdmoura
0
370
E agora mobile?
joaomdmoura
0
60
(short version) Elixir By A Rubyist
joaomdmoura
0
180
Elixir by a Rubyist
joaomdmoura
5
380

Other Decks in Programming

See All in Programming
Ruby Pattern Matching
bkuhlmann
0
930
Kotlin Multiplatform at Stable and Beyond (Android Makers 2024)
zsmb
0
470
CREってこういうこと? 体験入社 - 提案資料 - / what-is-cre-trial-employment
shinden
1
510
R言語の環境構築と基礎 Tokyo.R 112
bob3bob3
0
280
初心者のためのRubyKaigi入門/RubyKaigi Introduction
a_matsuda
10
1.4k
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
670
Deep Dive into React Stream/Serialize
mugi_uno
3
660
#phpcon_odawara オープン・クローズドなテストフィクスチャを求めて / open closed test fixtures
77web
3
240
Scalable Customer Journey Orchestration (CJO)
lewuathe
0
420
MetricKitで予期せぬ終了を検知する話 / Detect unexpected termination with MetricKit
nekowen
1
200
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
9
4.2k
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
680

Featured

See All Featured
Raft: Consensus for Rubyists
vanstee
133
6.3k
For a Future-Friendly Web
brad_frost
172
9k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.8k
Building Your Own Lightsaber
phodgson
100
5.7k
5 minutes of I Can Smell Your CMS
philhawksworth
199
19k
It's Worth the Effort
3n
180
27k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
226
51k
Writing Fast Ruby
sferik
622
60k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.7k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
188
16k
A Tale of Four Properties
chriscoyier
152
22k

Transcript

  1. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  2. https://www.entrepreneur.com/article/242208

  3. 90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208

  4. 90% FREAKING

  5. 65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  6. None

  7. 初⼼心

  8. BEGGINERS mind

  9. None
  10. None

  11. BEGGINERS mind

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None

  20. https://www.entrepreneur.com/article/242208

  21. 200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208

  22. João M. D. Moura Senior Engineer at Packlane @joaomdmoura

  23. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  24. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY

  25. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

  26. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO

  27. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO MICRO SERVICE

  28. AUTHENTICATION AUTHORIZATION X

  29. AUTHENTICATION

  30. SOMETHING YOU KNOW

  31. SOMETHING YOU KNOW

  32. COHERENCE COHERENCE COHERENCE

  33. mix coherence.install --full

  34. ÜBERAUTH ÜBERAUTH ÜBERAUTH

  35. REQUEST

  36. CALLBACK

  37. CALLBACK STRATEGIES }

  38. }

  39. }

  40. a.k.a. magic login links SOMETHING YOU HAVE

  41. a.k.a. magic login links SOMETHING YOU HAVE

  42. POT POT POT

  43. Secret + Time = 123456

  44. secret = "S3CR3T" token = :pot.totp(secret)

  45. secret = "S3CR3T" token = "123456" is_valid = :pot.valid_totp(token, secret)

  46. MULTI-FACTOR authentication

  47. MULTI-FACTOR authentication …or getting away with a shitty password

  48. MULTI-FACTOR authentication …or getting away with a shitty password

  49. AUTHORIZATION

  50. None
  51. None
  52. None

  53. knock knock client server

  54. None

  55. who's there? client server

  56. None

  57. Me. client server

  58. None

  59. ktkx. client server

  60. SESSION COOKIES +

  61. HTTP STATELESS

  62. None

  63. client

  64. client server

  65. client server knock knock. BTW it’s me. ktkx.

  66. JSON Web Tokens JWT

  67. HEADER.PAYLOAD.SIGNATURE

  68. HEADER PAYLOAD SIGNATURE } } }

  69. HEADER PAYLOAD SIGNATURE } } }

  70. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  71. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}

  72. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

  73. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  74. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  75. HTTP HEADERS

  76. Authorization: Bearer <token>

  77. client server

  78. POST user/login client server

  79. POST user/login creates JWT Token client server

  80. HEADER PAYLOAD SIGNATURE } } }

  81. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  82. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}

  83. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  84. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  85. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  86. POST user/login creates JWT Token client server

  87. POST user/login creates JWT Token return JWT to browser client

    server

  88. POST user/login creates JWT Token return JWT to browser send

    JWT as Header client server

  89. POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server

  90. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  91. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  92. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  93. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET

  94. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  95. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  96. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature

  97. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client

  98. GUARD GUARD GUARD

  99. Guardian.Plug.sign_in(conn, user)

  100. def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end

  101. pipeline :browser_auth do plug Guardian.Plug.VerifySession plug Guardian.Plug.LoadResource end

  102. scope "/", MyApp do pipe_through [:browser, :browser_auth] get ”/home”, HomeController,

    :homepage end

  103. WRAP UP

  104. 1.We have a password problem

  105. 2.We should start embracing multi-factor authentication

  106. 3.Stateless auth is a thing. JWT is worth checking.

  107. 4. There are great auth libs around elixir!

  108. None
  109. None

  110. https://github.com/joaomdmoura/keeper

  111. None
  112. None
  113. None
  114. None

  115. joaomdmoura.com Learn Elixir with a Rubyist

  116. João M. D. Moura Senior Engineer at Packlane joaomdmoura.com