Slide 1

Slide 1 text

Secure and Practical Authentication in API Platform

Slide 2

Slide 2 text

Y Software Architect, Developer & Maintainer Symfony Core Team / LexikJWTAuthenticationBundle Project Lead / Principal Engineer @Les-Tilleus.coop twitter.com/chalas_r github.com/chalasr Robin Chalas

Slide 3

Slide 3 text

Your text How does API Platform handle authentication?

Slide 4

Slide 4 text

How API Platform handles authentication? Your text Well, it does not.

Slide 5

Slide 5 text

How API Platform handles authentication? Your text It is Symfony job.

Slide 6

Slide 6 text

The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC

Slide 7

Slide 7 text

PHP Sessions Pros ● Convenient ● Proven (since 20+ years) Cons ● Scaling is challenging (needs extra storage or sticky sessions) ● Not RESTful

Slide 8

Slide 8 text

PHP Sessions: Native File

Slide 9

Slide 9 text

PHP Sessions: Redis

Slide 10

Slide 10 text

PHP Sessions: Json Login Authenticator

Slide 11

Slide 11 text

PHP Sessions Symfony Docs - Sessions https://symfony.com/doc/current/session.html Symfony 5: The Fast Track - Redis Sessions https://symfony.com/doc/current/the-fast-track/en/31-redis.html Read More

Slide 12

Slide 12 text

PHP Sessions REST is not a religion. Using sessions for your API is fine.

Slide 13

Slide 13 text

The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC

Slide 14

Slide 14 text

JWT Pros ● Standard Token format (RFC 7519) ● Server does not need to keep track of sessions ● Can be used in contexts where cookies are disabled ● Scales easily (any server possessing the public key can verify tokens) ● Fun to use Cons ● Complex (key management, refresh tokens...)

Slide 15

Slide 15 text

JWT composer require lexik/jwt-authentication-bundle

Slide 16

Slide 16 text

JWT: Symmetric or Asymmetric Only use asymmetric signatures (RSA/ECDSA) when multiple applications need to verify the tokens. Otherwise, use symmetric signatures (shared secret - HMAC).

Slide 17

Slide 17 text

JWT: Symmetric Config

Slide 18

Slide 18 text

JWT: Asymmetric Config

Slide 19

Slide 19 text

JWT: Asymmetric key generation

Slide 20

Slide 20 text

JWT: Firewall Config

Slide 21

Slide 21 text

JWT SymfonyCasts - Symfony RESTful API - Authentication with JWT https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle LexikJWTAuthenticationBundle documentation https://github.com/lexik/LexikJWTAuthenticationBundle Read More

Slide 22

Slide 22 text

The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC

Slide 23

Slide 23 text

OAuth2 / OIDC If your API needs to authenticate users from third party clients, you need OAuth2.

Slide 24

Slide 24 text

OAuth2 / OIDC In this case, the libs you are looking for are league/oauth2-server and league/oauth2-client.

Slide 25

Slide 25 text

OAuth2 / OIDC: Symfony Integration For the server part, checkout league/oauth2-server-bundle (soon stable).

Slide 26

Slide 26 text

OAuth2 / OIDC: Symfony Integration For the client part, checkout knpuniversity/oauth2-client-bundle until something better comes out 😉

Slide 27

Slide 27 text

The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC

Slide 28

Slide 28 text

Conclusion Both Sessions and JWTs are valid solutions for API authentication. Just use the one that you feel comfortable with. And, as soon as you have third party clients, use OAuth2 with OIDC.

Slide 29

Slide 29 text

Thank you! Robin Chalas Follow me on Twitter @chalas_r Sponsor me on GitHub @chalasr ANY QUESTIONS?