Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT, WTF? at FullStackCon

Phil Nash
July 12, 2017
Programming
0
310

JWT, WTF? at FullStackCon

We live in a world of rich client side applications, web and mobile, and we need a secure way to authenticate our users. Session IDs have been the traditional solution, but how well do they work for single page applications? And what about authenticating to 3rd party services? You can’t leave your credentials in the client, there’s always someone malicious just waiting to steal them.

Enter the JWT, or JSON Web Token. These fancy little tokens can authenticate our users and our transactions because they know what they’re allowed to do.

We’ll take a look at what JWTs can be used for, why to choose JWTs, how to generate them, and most importantly how to keep them secure. Finally, we’ll find out if putting abbreviations inside other abbreviations really is the secret to web security.

--

Links:

https://jwt.io
RFC 7519: https://tools.ietf.org/html/rfc7519
JWTs VS Sessions: https://float-middle.com/json-web-tokens-jwt-vs-sessions/
Stop using JWT for sessions: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
Use JWT the Right Way: https://stormpath.com/blog/jwt-the-right-way

Emoji Chat app: http://github.com/philnash/twilimoji
Twilio Programmable Chat access tokens (JWTs): https://www.twilio.com/docs/api/chat/guides/create-tokens

Phil Nash

July 12, 2017
Tweet

More Decks by Phil Nash

See All by Phil Nash
Four steps from JavaScript to TypeScript
philnash
3
410
JavaScript Apps Go Intl - GIDS Live 2021
philnash
2
260
You're on Mute! WebRTC and our Lives on Screen - GIDS Live 2021
philnash
1
270
Better API DX with a CLI - APIdays Jakarta
philnash
0
340
The trouble with webhooks - at Apidays Live Hong Kong
philnash
2
200
Four steps from JavaScript to TypeScript
philnash
0
390
Fantastic passwords and where to find them - at NoRuKo
philnash
50
2.9k
The trouble with webhooks - at APIdays Singapore
philnash
0
290
What's going on with Project Fugu? at DevTalks Reimagined
philnash
0
430

Other Decks in Programming

See All in Programming
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
120
Amazon Bedrock Agentsを用いてアプリ開発してみた!
har1101
0
330
CSC509 Lecture 11
javiergs
PRO
0
180
Realtime API 入門
riofujimon
0
150
レガシーシステムにどう立ち向かうか 複雑さと理想と現実/vs-legacy
suzukihoge
14
2.2k
OnlineTestConf: Test Automation Friend or Foe
maaretp
0
110
聞き手から登壇者へ: RubyKaigi2024 LTでの初挑戦が 教えてくれた、可能性の星
mikik0
1
130
Amazon Qを使ってIaCを触ろう!
maruto
0
400
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
4
1.4k
受け取る人から提供する人になるということ
little_rubyist
0
230
Kaigi on Rails 2024 〜運営の裏側〜
krpk1900
1
200

Featured

See All Featured
Thoughts on Productivity
jonyablonski
67
4.3k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
232
17k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Automating Front-end Workflow
addyosmani
1366
200k
GraphQLとの向き合い方2022年版
quramy
43
13k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
Facilitating Awesome Meetings
lara
50
6.1k
The Cult of Friendly URLs
andyhume
78
6k
Building Adaptive Systems
keathley
38
2.3k
A Tale of Four Properties
chriscoyier
156
23k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k

Transcript

  1. JWT, WTF? FullStackCon, 12th July 2017

  2. Phil Nash @philnash http:/ /philna.sh [email protected] @philnash

  3. ARE YOU READY FOR SOME ABBREVIATIONS?

  4. JWT @philnash

  5. JSON WEB TOKEN @philnash

  6. RFC 7519 @philnash

  7. "JOT" @philnash

  8. THERE'S MORE

  9. JWS JWE JWK JWA @philnash

  10. RFCS 7515 7516 7517 7518 @philnash

  11. JOSE @philnash

  12. RFC 7520 @philnash

  13. AAARGH @philnash

  14. LET'S START AGAIN

  15. JWT, WTF?

  16. JWTs • What are they? • What can you use

    them for? • How do they work? • Pitfalls @philnash

  17. WHAT'S A JWT?

  18. JWT “JSON Web Token (JWT) is a compact, URL-safe means

    of representing claims to be transferred between two parties.” @philnash

  19. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

  20. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

  21. JWT { "alg": "HS256", "typ": "JWT" } { "sub": "[email protected]"

    } @philnash

  22. @philnash

  23. WHAT CAN YOU USE THEM FOR?

  24. STATELESS SESSIONS @philnash

  25. MICROSERVICE ARCHITECTURE @philnash

  26. OPENID CONNECT @philnash

  27. CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash

  28. HTTPS:/ /BIT.LY/EMOJI-CHAT @philnash

  29. HOW DO THEY WORK?

  30. CREATING A JWT @philnash

  31. CLAIMS @philnash

  32. Creating a JWT const header = { "alg": "HS256", "typ":

    "JWT" } const payload = { "sub": "[email protected]" } @philnash

  33. Header Claims "typ": "JWT" @philnash

  34. Header Claims - Unsecured "alg": "none" @philnash

  35. Header Claims - Secured "alg": "HS256" @philnash

  36. Payload Claims "iss" - issuer "sub" - subject "aud" -

    audience "exp" - expires at "nbf" - not before "iat" - issued at "jti" - JWT ID @philnash

  37. Payload Claims Anything you want! @philnash

  38. Creating a JWT const header = { "alg": "HS256", "typ":

    "JWT" } const payload = { "sub": "[email protected]" } @philnash

  39. ENCODE THE HEADER AND PAYLOAD @philnash

  40. Base64url encodedHeader = new Buffer(JSON.stringify(header)) .toString('base64') .replace(/=/g, "") .replace(/\+/g, "-")

    .replace(/\//g, "_"); @philnash

  41. Base64url encodedPayload = new Buffer(JSON.stringify(payload)) .toString('base64') .replace(/=/g, "") .replace(/\+/g, "-")

    .replace(/\//g, "_"); @philnash

  42. SIGN THE ENCODED HEADER AND PAYLOAD @philnash

  43. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256',

    'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const signature = hmac.digest('base64'); @philnash

  44. The finished JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

  45. VERIFYING A JWT @philnash

  46. Verifying a JWT [ encodedHeader, encodedPayload, signature ] = jwt.split('.');

    @philnash

  47. Decode the header const decodedHeader = JSON.parse( new Buffer(encodedHeader, 'base64').toString('ascii')

    ) @philnash

  48. Decode the payload const decodedPayload = JSON.parse( new Buffer(encodedPayload, 'base64').toString('ascii')

    ) @philnash

  49. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256',

    'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const generatedSignature = hmac.digest('base64'); @philnash

  50. Compare secureCompare(signature, generatedSignature); @philnash

  51. JWT Playground https:/ /jwt.io @philnash

  52. Finally, check the claims new Date(decodedPayload['exp']) < new Date(); @philnash

  53. PITFALLS

  54. DATA IS PUBLIC @philnash

  55. SIGNING ALGORITHM @philnash

  56. JWT { "alg": "HS256", "typ": "JWT" } { "sub": "[email protected]"

    } @philnash

  57. JWT { "alg": "none" , "typ": "JWT" } { "sub":

    "[email protected]" } @philnash

  58. ALWAYS VERIFY WITH AN EXPECTED ALGORITHM @philnash

  59. PUBLIC KEYS AND ENCRYPTION @philnash

  60. WHAT CAN YOU USE THEM FOR?

  61. STATELESS SESSIONS @philnash

  62. Stateless sessions - revocation • exp claim - token expiry

    time • Without state, you can't revoke individual tokens except by expiry • Requires a blacklist of revoked tokens to check against @philnash

  63. Stateless sessions - storage • Cookies • ensure you have

    CSRF protection • localStorage • vulnerable to XSS • requires JS to store and insert as an Authentication header @philnash

  64. MICROSERVICE ARCHITECTURE @philnash

  65. Microservice architecture • Authentication server signs tokens with private key

    • Other servers can verify with public key @philnash

  66. OPENID CONNECT @philnash

  67. CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash

  68. JWT, WTF?

  69. JWT “JSON Web Token (JWT) is a compact, URL-safe means

    of representing claims to be transferred between two parties.” @philnash

  70. JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

  71. @philnash

  72. JWT, WTF? • https:/ /jwt.io • RFC 7519 • JWTs

    VS Sessions • Stop using JWT for sessions • Use JWT the Right Way @philnash

  73. THANKS!

  74. Thanks! @philnash http:/ /philna.sh [email protected] @philnash