Make your SPA a maximum security prison - ConFoo Version

Transcript

1. Make your SPA a maximum security prison

2. @mgonto Dev Advocate Auth0

3. Identity made simple for developers

4. None

5. Client Database 1990’s Client Server Life was easy

6. Client Database auth 1990’s Client Server Life was easy

7. Client Database auth persistent connection 1990’s Client Server Life was

   easy

8. Workstation Browser Database 2000’s Intranet Life inside corp

9. Workstation Browser Database 2000’s Intranet Active Directory Life inside corp

10. Workstation Browser Database auth 2000’s Intranet Active Directory Life inside

    corp

11. Workstation Browser Database auth 2000’s Intranet Active Directory kerberos token

    Life inside corp

12. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

13. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

14. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

15. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

    kerberos token Life inside corp

16. Workstation Browser Database Internet Web Server auth C C E-commerce

17. Browser Server

18. Browser Server 1. POST /users/login with username and password

19. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session

20. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser

21. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie.

22. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user

23. Browser Server 1. POST /users/login with username and password 2.

    Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user 6. Sends response to the client

24. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

    (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

25. Cookie-based auth is a sub- optimal solution for today’s systems

26. Cookies don’t play well with CORS and different domains 1

27. Cookie-based auth keep state in server side session (mongo, redis,

    etc.)* 2 *default config. Cookie only is possible (Play, Rails)

28. Cookies are coupled to the web framework If you try

    to reuse a cookie issued by Java in Node, not easy 3

29. APIs don’t use cookies 4

30. Cookies don’t play well with native apps 5

31. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action=“http://bank.com/account/edit"                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="[email protected]"  />   <script>document.csrf.submit();</script> 6

32. … and other security issues 7 https://github.com/blog/1466-yummy-cookies-across-domains http://arstechnica.com/business/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness/

33. Cookies can’t be used for delegated authentication (identity does not

    flow) 8

34. A better approach

35. A better approach Token-based Authentication

36. A better approach Token-based Authentication JSON Web Tokens

37. Browser Server

38. Browser Server 1. POST /users/login with username and password

39. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table

40. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser

41. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header.

42. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user

43. Browser Server 1. POST /users/login with username and password 2.

    Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user 6. Sends response to the client

44. How it works?

45. Browser Server

46. Browser Server 1. POST /users/login with username and password

47. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret

48. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser

49. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header.

50. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT.

51. Browser Server 1. POST /users/login with username and password 2.

    Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT. 6. Sends response to the client

52. Tokens must be stored somewhere in the client 1

53. Tokens can expire like cookies, but you have more control

    2

54. Token expires, deal with refresh

55. CORS Preflight requests shouldn’t check the Authorization header. 3

56. When you need to stream something, use the token to

    get a signed request 4

57. Try token-based authentication in your next project

58. auth0/angularjs-jwt-authentication-tutorial See an example!

59. Thanks! @mgonto

60. Appendix

61. Confidential info, encrypt it

62. Social auth

63. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

64. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)