OAuth2 & JWT – A token-based approach

Transcript

1. OAuth2 & JWT Authentication and Authorization protocols based on tokens

2. @kikobeats say ‘hello’!

3. BUT FIRST Basic concepts

4. who are you Authentication anonymous user? registered user? admin user?

5. what you are authorized to do Authorization

6. ON THE OTHER HAND complementary concepts

7. HTTP as REST protocol typical API design, but does it

   mean?

8. REpresentational State Transfer RESTful is typically used to refer to

   web services implementing such an architecture.

9. REST philosophy allows you to create compatible services with any

   device or client that supports HTTP protocol.

10. REST typically uses JSON in data format

11. The most important REST features are: • Stateless • Uniform

    • Based on status codes • Cacheable what is the mean of stateless?

12. The client has the responsibility to identify the request. The

    petitions don’t have state. Why? Scalability.

13. The cookies are used typically for storing and sharing the

    sessions.

14. REST + Cookies

15. The problem is that cookies have a lot of security

    and privacy problems: • Hijacking • Third-party cookies • XSS attacks • Cross-site request forgery (CSRF)

16. A better approach Token-based Authentication JSON Web Tokens (JWT)

17. JSON Web Token (JWT) is a compact URL-safe means of

    representing claims to be transferred between two parties. The claims in a JWT are encoded (base64) as a JSON object that is digitally signed using JSON Web Signature (JWS). At this moment there is a group working in creating a standard (draft 32).

18. JWT.io Example

19. REST + JWT

20. Benefits of JWT approach: • Mobile ready • CORS •

    Performance • More control • Definitely less security problems...

21. The token must be stored somewhere. A good place would

    be in a free domain cookie. but DON’T send the cookie: sent the value inside the cookie!

22. What about OAuth2?

23. OAuth2 is an authorization architecture that enables applications to obtain

    limited access to user accounts on an HTTP service, such as Facebook, Twitter, GitHub.... It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account. OAuth2 provides authorization flows for web and desktop applications, and mobile devices without sharing their credentials.

24. OAuth2 follows a token approach but in the authorization flow.

25. None

26. Is better JWT than Cookies approach? Probably is the same.

    If you have a cookies approach without securities problems and following good practices, you are in the right way. JWT is the natural evolution of cookies and fix some issues from the beginning. We are searching security and control.

27. References • JSON Web Token Standard Draft • 10 Things

    You Should Know about Tokens – Auth0 • Cookies vs Tokens. Getting auth right with Angular.JS – Auth0 • Using JSON Web Tokens as API Keys – Auth0 • JWT.io, a JWT playground