Upgrade to Pro — share decks privately, control downloads, hide ads and more …

OAuth2 & JWT – A token-based approach

Kiko Beats
December 17, 2014
Programming
4
2.5k

OAuth2 & JWT – A token-based approach

A little talk about how JWT and OAuth2 works @ University of Murcia (Spain)

Kiko Beats

December 17, 2014
Tweet

More Decks by Kiko Beats

See All by Kiko Beats
How to Write More Clearly, Think More Clearly, and Learn Complex Material More Easily
kikobeats
0
54
Bumped: Improving software release process
kikobeats
0
32
MVP in 30 days – Lessons Learned
kikobeats
0
120
Short introduction to TDD
kikobeats
0
81
What The Faq is Component Driven Development
kikobeats
0
550
Sailor - Components in the backend
kikobeats
1
520
Road to WIN – RTanque
kikobeats
0
140

Other Decks in Programming

See All in Programming
PHPはいつから死んでいるかの調査
chiroruxx
1
400
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
Apache Hive 4 on Treasure Data
ryukobayashi
0
330
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
5
920
Node.js v22 で変わること
yosuke_furukawa
PRO
9
3.4k
0→1と1→10の狭間で Javaという技術選定を振り返る/Reflecting on the Decision to Choose Java Between Scaling from 0 to 1 and 1 to 10
jaguar_imo
2
380
Rethinking UI building strategies @ SFI 2024
letelete
0
270
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
210
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
380
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
380
DMMプラットフォームがTiDB Cloudを採用した背景
pospome
8
4.1k
What We Can Learn From OSS
inouehi
0
420

Featured

See All Featured
Infographics Made Easy
chrislema
238
18k
Into the Great Unknown - MozCon
thekraken
10
990
Navigating Team Friction
lara
178
13k
RailsConf 2023
tenderlove
4
540
Visualization
eitanlees
136
14k
The MySQL Ecosystem @ GitHub 2015
samlambert
243
12k
Adopting Sorbet at Scale
ufuk
68
8.6k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
17
6.4k
How To Stay Up To Date on Web Technology
chriscoyier
782
250k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
78
42k
Happy Clients
brianwarren
92
6.4k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
40
4.4k

Transcript

  1. OAuth2 & JWT Authentication and Authorization protocols based on tokens

  2. @kikobeats say ‘hello’!

  3. BUT FIRST Basic concepts

  4. who are you Authentication anonymous user? registered user? admin user?

  5. what you are authorized to do Authorization

  6. ON THE OTHER HAND complementary concepts

  7. HTTP as REST protocol typical API design, but does it

    mean?

  8. REpresentational State Transfer RESTful is typically used to refer to

    web services implementing such an architecture.

  9. REST philosophy allows you to create compatible services with any

    device or client that supports HTTP protocol.

  10. REST typically uses JSON in data format

  11. The most important REST features are: • Stateless • Uniform

    • Based on status codes • Cacheable what is the mean of stateless?

  12. The client has the responsibility to identify the request. The

    petitions don’t have state. Why? Scalability.

  13. The cookies are used typically for storing and sharing the

    sessions.

  14. REST + Cookies

  15. The problem is that cookies have a lot of security

    and privacy problems: • Hijacking • Third-party cookies • XSS attacks • Cross-site request forgery (CSRF)

  16. A better approach Token-based Authentication JSON Web Tokens (JWT)

  17. JSON Web Token (JWT) is a compact URL-safe means of

    representing claims to be transferred between two parties. The claims in a JWT are encoded (base64) as a JSON object that is digitally signed using JSON Web Signature (JWS). At this moment there is a group working in creating a standard (draft 32).

  18. JWT.io Example

  19. REST + JWT

  20. Benefits of JWT approach: • Mobile ready • CORS •

    Performance • More control • Definitely less security problems...

  21. The token must be stored somewhere. A good place would

    be in a free domain cookie. but DON’T send the cookie: sent the value inside the cookie!

  22. What about OAuth2?

  23. OAuth2 is an authorization architecture that enables applications to obtain

    limited access to user accounts on an HTTP service, such as Facebook, Twitter, GitHub.... It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth2 provides authorization flows for web and desktop applications, and mobile devices without sharing their credentials.

  24. OAuth2 follows a token approach but in the authorization flow.

  25. None

  26. Is better JWT than Cookies approach? Probably is the same.

    If you have a cookies approach without securities problems and following good practices, you are in the right way. JWT is the natural evolution of cookies and fix some issues from the beginning. We are searching security and control.

  27. References • JSON Web Token Standard Draft • 10 Things

    You Should Know about Tokens – Auth0 • Cookies vs Tokens. Getting auth right with Angular.JS – Auth0 • Using JSON Web Tokens as API Keys – Auth0 • JWT.io, a JWT playground