JWT: Cookie-Free Authentication

Transcript

1. JWT: Cookie-Free Authentication Jakub Synowiec @jakubsynowiec meet.js Katowice & Women

   in Technology 10.04.2015 r.

2. Hello!

3. Server-side authentication There are two common ways to perform a

   server side authentication: • Cookie-based, • Token-based.

4. Cookies!

5. Cookie-Based Authentication Browser Server Session registry POST /authenticate username=…&password=… HTTP

   200 OK Set-Cookie: session=… GET /api/v1/messages Cookie: session=… HTTP 200 OK { messages: […] } newSession() session=… findSession(…) session=…

6. Drawbacks of Cookie-Based Authentication • Hard to scale, • Performance

   bottlenecks, • Requires state (session) persistence, • Troublesome Cross-origin request sharing (CORS), • Vulnerable to CSRF attacks, • „Hacky” implementations in MV*.

7. Token-Based Authentication Browser Server POST /authenticate username=…&password=… HTTP 200 OK

   { token: ”eyJhbGciOiJI…” } GET /api/v1/messages Authorization: Bearer eyJhbGciOiJI… HTTP 200 OK { messages: […] } Validate token Generate token

8. Advantages of Token-Based Authentication • Easier to scale, • Stateless,

   • Secure, • Performant, • Cross-origin request sharing (CORS),

9. JWT JSON Web Tokens The suggested pronunciation of JWT is

   the same as the English word "jot".

10. JSON Web Token (JWT) is a compact, URL-safe means of

    representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted. IETF JWT draft 32* * https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32

11. The format and structure is inspired by Simple Web Tokens

    (SWT) and ideas for JSON tokens that Dick Hardt discussed within the OpenID Community in 2009. JWT are inspired by SWT

12. Who uses JWT?

13. base64enc({ "alg": "HS256", "typ": "JWT" }) Header base64enc({ "iss": "meetjs:abc123",

    "iat": 1428567860, "exp": 1428567870, "sub": "[email protected]", "acc": "r" }) Payload HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), superSafeSecret ) Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJtZWV0anM6YW JjMTIzIiwiaWF0IjoxNDI4NTY3ODYwLCJleHAiOjE0Mjg1Njc4NzAsInN1Y iI6ImpvaG4uZG9lQG1lLmNvbSIsImFjYyI6InIifQ.BCGWaJvImUk6rzUGF 3jT91JqxSrceFCl2KPXumx2-Ps JWT Token

14. JWT Token Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 { "alg": "HS256", "typ": "JWT" }

15. JWT Token Claims eyJpc3MiOiJtZWV0anM6YWJjMTIzIiwiaWF0IjoxNDI4NTY3ODYwLCJleHA iOjE0Mjg1Njc4NzAsInN1YiI6ImpvaG4uZG9lQG1lLmNvbSIsImFjYyI6In IifQ { "iss": "meetjs:abc123", "iat":

    1428567860, "exp": 1428567870, "sub": "[email protected]", "acc": „r" }

16. JWT Token Claims Registered Claims* Attribute Type Description iss String

    The issuer of the claim. Can be used to identify the service that issued the token. sub String The subject of the token. This is the consumer associated with the relevant action. aud String[] The audience of this token. Can be used to identify the recipients that the token is intended for. iat Long Issued-at time. Contains the UTC Unix timestamp at which the token was issued. exp Long Expiration time. Contains the UTC Unix timestamp after which token should no longer be accepted. Should be after the issued-at time. nbf Long Not before time. Contains the UTC Unix timestamp before which token sholud not be accepted. jti String The unique identifier of the token. * https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-4

17. JWT Token Claims eyJzdWIiOiJqb2huLmRvZUBtZS5jb20iLCJpc3MiOiJleUpoYkdjaU9pIiw iYXVkIjpbIklpRmE3VWphMyIsIllYUWlPakUwIl0sImlhdCI6MTQyODU2Nz g2MCwiZXhwIjoxNDI4NTY3ODcwfQ { "sub": "jaU9pIiwAf", "iss":

    "eyJhbGciOi", "aud": [ "IiFa7Uja3", "YXQiOjE0" ], "iat": 1428567860, "exp": 1428567870, "sub": "[email protected]" }

18. JWT Token Payload You can add as many custom claims

    as you want, but you should watch for… • token length, • sensitive data.

19. JWT Token Signature BCGWaJvImUk6rzUGF3jT91JqxSrceFCl2KPXumx2-Ps HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload),

    superSafeSecret ) The signature can be computed using an algorithm specified in JWA (JSON Web Algorithms)*, such as: • HMAC SHA-256, • RSASSA-PKCS-v1_5 SHA-256, • etc. * https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-40#section-3

20. JWT Libraries Language Library JavaScript • node-jwt-simple • express-jwt •

    angular-jwt • socketio-jwt Ruby • ruby-jwt Java • java-jwt Python • flask-jwt • pyjwt PHP • LexikJWTAuthenticationBundle • jwt-auth GO • jwt-go

21. How to use JWT securely • Sign your tokens with

    a strong key that is available only to the authentication service, • Rotate your keys frequently, • Keep expiration times reasonably short, • Server must verify that the token was signed with your secret key, • Use the tokens to fetch the data, not to store it, • Encrypt your tokens if you have to put sensitive, non-opaque information in them, • Use a custom claim that prevents URL tampering, e.g. URL hash, • Watch for XSS, • Never transmit tokens over a non-HTTPS connection.

22. Where to now? • Examples: • https://github.com/auth0/angular-token-auth • https://github.com/auth0/react-flux-jwt-authentication-sample •

    https://github.com/auth0/nodejs-jwt-authentication-sample • JWT Debugger - http://jwt.io • IEFT JWT draft - https://tools.ietf.org/html/draft-ietf-oauth-json- web-token • Auth0 Blog - https://auth0.com/blog

23. Questions?

24. Thanks!