Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Make your SPA a maximum security prison - ConFoo Version

Martin Gontovnikas
February 18, 2015
Technology
2
350

Make your SPA a maximum security prison - ConFoo Version

Martin Gontovnikas

February 18, 2015
Tweet

More Decks by Martin Gontovnikas

See All by Martin Gontovnikas
Intro to JWT
mgonto
1
1.3k
Death To Cookies: Long Live JSON Web Tokens
mgonto
0
910
Make your SPA a maximum security prison
mgonto
2
3.2k
Models and Rest APIs on AngularJS with Restangular
mgonto
5
6.3k
Reactive Angular
mgonto
11
2.3k

Other Decks in Technology

See All in Technology
AIQ株式会社 エンジニア向け会社紹介資料
aiqlab
0
370
4年前、あるじゃん老害エンジニアLT合戦に登壇、米国西海岸コンピュータ歴史博物館体験記の続編
toshi_atsumi
0
190
疲弊しない!AWSセキュリティ統制の考え方 #devio_osakaday1
masahirokawahara
6
5.9k
元インフラエンジニアに成る / Human Resources to Human Relations
bobtani
3
770
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
120
日本におけるデータエンジニアリングのこれまでとこれから
foursue
10
2.2k
Four keys改善の取り組み事例紹介
sansantech
PRO
3
230
DevOpsDays History and my DevOps story
kawaguti
PRO
8
1.5k
ChatGPT for IT Service Management (IT Pro)
dahatake
2
120
コードを書く隙間を見つけて生きていく技術/Findy 思考の現在地
fujiwara3
24
5k
自動生成を活用した、運用保守コストを抑える Error/Alert/Runbook の一元集約管理 / Centralized management of Error/Alert/Runbook to minimize operational costs using automated code generation
biwashi
9
2.1k
HEXA OSINT CTF V3 作戦会議
meow_noisy
0
110

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
344
19k
Intergalactic Javascript Robots from Outer Space
tanoku
266
26k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
154
14k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
76
41k
Fashionably flexible responsive web design (full day workshop)
malarkey
397
65k
Building an army of robots
kneath
300
41k
Large-scale JavaScript Application Architecture
addyosmani
503
110k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
352
28k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
How STYLIGHT went responsive
nonsquared
92
4.8k

Transcript

  1. Make your SPA a maximum security prison

  2. @mgonto Dev Advocate Auth0

  3. Identity made simple for developers

  4. None

  5. Client Database 1990’s Client Server Life was easy

  6. Client Database auth 1990’s Client Server Life was easy

  7. Client Database auth persistent connection 1990’s Client Server Life was

    easy

  8. Workstation Browser Database 2000’s Intranet Life inside corp

  9. Workstation Browser Database 2000’s Intranet Active Directory Life inside corp

  10. Workstation Browser Database auth 2000’s Intranet Active Directory Life inside

    corp

  11. Workstation Browser Database auth 2000’s Intranet Active Directory kerberos token

    Life inside corp

  12. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

  13. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

  14. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

  15. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

  16. Workstation Browser Database Internet Web Server auth C C E-commerce

  17. Browser Server

  18. Browser Server 1. POST /users/login with username and password

  19. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session

  20. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser

  21. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie.

  22. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user

  23. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user 6. Sends response to the client

  24. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

    (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

  25. Cookie-based auth is a sub- optimal solution for today’s systems

  26. Cookies don’t play well with CORS and different domains 1

  27. Cookie-based auth keep state in server side session (mongo, redis,

    etc.)* 2 *default config. Cookie only is possible (Play, Rails)

  28. Cookies are coupled to the web framework If you try

    to reuse a cookie issued by Java in Node, not easy 3

  29. APIs don’t use cookies 4

  30. Cookies don’t play well with native apps 5

  31. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action=“http://bank.com/account/edit"                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="[email protected]"  />   <script>document.csrf.submit();</script> 6

  32. … and other security issues 7 https://github.com/blog/1466-yummy-cookies-across-domains http://arstechnica.com/business/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness/

  33. Cookies can’t be used for delegated authentication (identity does not

    flow) 8

  34. A better approach

  35. A better approach Token-based Authentication

  36. A better approach Token-based Authentication JSON Web Tokens

  37. Browser Server

  38. Browser Server 1. POST /users/login with username and password

  39. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table

  40. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser

  41. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header.

  42. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user

  43. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user 6. Sends response to the client

  44. How it works?

  45. Browser Server

  46. Browser Server 1. POST /users/login with username and password

  47. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret

  48. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser

  49. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header.

  50. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT.

  51. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT. 6. Sends response to the client

  52. Tokens must be stored somewhere in the client 1

  53. Tokens can expire like cookies, but you have more control

    2

  54. Token expires, deal with refresh

  55. CORS Preflight requests shouldn’t check the Authorization header. 3

  56. When you need to stream something, use the token to

    get a signed request 4

  57. Try token-based authentication in your next project

  58. auth0/angularjs-jwt-authentication-tutorial See an example!

  59. Thanks! @mgonto

  60. Appendix

  61. Confidential info, encrypt it

  62. Social auth

  63. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

  64. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)