Json Web Token at Employment Hero

Transcript

1. JSON Web Tokens Luong Vo

2. None
3. None
4. None
5. None
6. None
7. None

8. JSON Web Token

9. What is JSON Web Tokens

10. JSON Object To transfer data between two parties digitally signed

11. Digitally signed JSON Data Signature JSON Web Token

12. Signature signing algorithm

13. RSA256

14. HSA256

15. Comparison RSA256 HSA256

16. None
17. None

18. JSON API Authentication

19. Main app Username + password Session token Auth Service Generate

    session token Save session token to database But why?

20. Main app Session token JWT Token Auth Service Generate JWT

    Query session token to check But why?

21. Main app Get/…. + JWT Token { “data”: …. }

    Auth Service Validate JWT But why?

22. Main app Get/…. + JWT Token { “data”: …. }

    Auth Service Validate JWT Microservice GRPC call But why?

23. Microservice API Call !? Oh….

24. Main app Get/…. + JWT Token { “data”: …. }

    Auth Service Validate JW T Microservice Oh….

25. External system Main app Microservice

26. None

27. Microservice API Call Should we? Auth Service authenticate

28. Microservice API Call Better! LOAD BALANCER Auth Service authenticate API

    Gateway

29. Main app Get/…. + JWT Token { “data”: …. }

    Auth Service Microservice LOAD BALANCER
30. None
31. None
32. None

33. https://github.com/Thinkei/eh-kong/blob/master/auth/handler.lua#L49

34. None

35. Why not just use JWT

36. Size User ID in JWT User id in session token

37. • Require CPU to compute cryptographic signatures • No utilisation

    of being stateless • Redundant-signing • Can be read on the client side • Must be explicitly encrypted if we wanted to • Hard revocation

38. That’s it. Thank you for your attention!