Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWT, WTF? at JS Poland

JWT, WTF? at JS Poland

We live in a world of rich client side applications, web and mobile, and we need a secure way to authenticate our users. Session IDs have been the traditional solution, but how well do they work for single page applications? And what about authenticating to 3rd party services? You can’t leave your credentials in the client, there’s always someone malicious just waiting to steal them.

Enter the JWT, or JSON Web Token. These fancy little tokens can authenticate our users and our transactions because they know what they’re allowed to do.

We’ll take a look at what JWTs can be used for, why to choose JWTs, how to generate them, and most importantly how to keep them secure. Finally, we’ll find out if putting abbreviations inside other abbreviations really is the secret to web security.

--

Links:

https://jwt.io
RFC 7519: https://tools.ietf.org/html/rfc7519
JWTs VS Sessions: https://float-middle.com/json-web-tokens-jwt-vs-sessions/
Stop using JWT for sessions: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
Use JWT the Right Way: https://stormpath.com/blog/jwt-the-right-way

Emoji Chat app: http://github.com/philnash/twilimoji
Twilio Programmable Chat access tokens (JWTs): https://www.twilio.com/docs/api/chat/guides/create-tokens

Phil Nash

June 19, 2017
Tweet

More Decks by Phil Nash

Other Decks in Programming

Transcript

  1. JWTs • What are they? • What can you use

    them for? • How do they work? • Pitfalls @philnash
  2. JWT “JSON Web Token (JWT) is a compact, URL-safe means

    of representing claims to be transferred between two parties.” @philnash
  3. Creating a JWT const header = { "alg": "HS256", "typ":

    "JWT" } const payload = { "sub": "[email protected]" } @philnash
  4. Payload Claims "iss" - issuer "sub" - subject "aud" -

    audience "exp" - expires at "nbf" - not before "iat" - issued at "jti" - JWT ID @philnash
  5. Creating a JWT const header = { "alg": "HS256", "typ":

    "JWT" } const payload = { "sub": "[email protected]" } @philnash
  6. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256',

    'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const signature = hmac.digest('base64'); @philnash
  7. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256',

    'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const generatedSignature = hmac.digest('base64'); @philnash
  8. Stateless sessions - revocation • exp claim - token expiry

    time • Without state, you can't revoke individual tokens except by expiry • Requires a blacklist of revoked tokens to check against @philnash
  9. Stateless sessions - storage • Cookies • ensure you have

    CSRF protection • localStorage • vulnerable to XSS • requires JS to store and insert as an Authentication header @philnash
  10. Microservice architecture • Authentication server signs tokens with private key

    • Other servers can verify with public key @philnash
  11. JWT “JSON Web Token (JWT) is a compact, URL-safe means

    of representing claims to be transferred between two parties.” @philnash
  12. JWT, WTF? • https:/ /jwt.io • RFC 7519 • JWTs

    VS Sessions • Stop using JWT for sessions • Use JWT the Right Way @philnash