Secure and Practical Authentication
in API Platform
Slide 2
Slide 2 text
Y
Software Architect, Developer & Maintainer
Symfony Core Team /
LexikJWTAuthenticationBundle Project Lead /
Principal Engineer @Les-Tilleus.coop
twitter.com/chalas_r
github.com/chalasr
Robin Chalas
Slide 3
Slide 3 text
Your text
How does API Platform handle
authentication?
Slide 4
Slide 4 text
How API Platform handles
authentication?
Your text
Well,
it does not.
Slide 5
Slide 5 text
How API Platform handles
authentication?
Your text
It is Symfony job.
Slide 6
Slide 6 text
The Options
✔ PHP Sessions
✔ JWT
✔ OAuth2 / OIDC
Slide 7
Slide 7 text
PHP Sessions
Pros
● Convenient
● Proven (since 20+ years)
Cons
● Scaling is challenging (needs extra storage or sticky sessions)
● Not RESTful
Slide 8
Slide 8 text
PHP Sessions: Native File
Slide 9
Slide 9 text
PHP Sessions: Redis
Slide 10
Slide 10 text
PHP Sessions:
Json Login Authenticator
Slide 11
Slide 11 text
PHP Sessions
Symfony Docs - Sessions
https://symfony.com/doc/current/session.html
Symfony 5: The Fast Track - Redis Sessions
https://symfony.com/doc/current/the-fast-track/en/31-redis.html
Read More
Slide 12
Slide 12 text
PHP Sessions
REST is not a religion.
Using sessions for your API is fine.
Slide 13
Slide 13 text
The Options
✔ PHP Sessions
✔ JWT
✔ OAuth2 / OIDC
Slide 14
Slide 14 text
JWT
Pros
● Standard Token format (RFC 7519)
● Server does not need to keep track of sessions
● Can be used in contexts where cookies are disabled
● Scales easily (any server possessing the public key can verify tokens)
● Fun to use
Cons
● Complex (key management, refresh tokens...)
JWT:
Symmetric or Asymmetric
Only use asymmetric signatures (RSA/ECDSA) when multiple
applications need to verify the tokens.
Otherwise, use symmetric signatures (shared secret - HMAC).
Slide 17
Slide 17 text
JWT:
Symmetric Config
Slide 18
Slide 18 text
JWT:
Asymmetric Config
Slide 19
Slide 19 text
JWT:
Asymmetric key generation
Slide 20
Slide 20 text
JWT: Firewall Config
Slide 21
Slide 21 text
JWT
SymfonyCasts - Symfony RESTful API - Authentication with JWT
https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle
LexikJWTAuthenticationBundle documentation
https://github.com/lexik/LexikJWTAuthenticationBundle
Read More
Slide 22
Slide 22 text
The Options
✔ PHP Sessions
✔ JWT
✔ OAuth2 / OIDC
Slide 23
Slide 23 text
OAuth2 / OIDC
If your API needs to authenticate users
from third party clients, you need
OAuth2.
Slide 24
Slide 24 text
OAuth2 / OIDC
In this case, the libs you are looking for
are league/oauth2-server and
league/oauth2-client.
Slide 25
Slide 25 text
OAuth2 / OIDC:
Symfony Integration
For the server part, checkout
league/oauth2-server-bundle (soon
stable).
Slide 26
Slide 26 text
OAuth2 / OIDC:
Symfony Integration
For the client part, checkout
knpuniversity/oauth2-client-bundle
until something better comes out 😉
Slide 27
Slide 27 text
The Options
✔ PHP Sessions
✔ JWT
✔ OAuth2 / OIDC
Slide 28
Slide 28 text
Conclusion
Both Sessions and JWTs are valid solutions for API
authentication.
Just use the one that you feel comfortable with.
And, as soon as you have third party clients, use OAuth2 with
OIDC.
Slide 29
Slide 29 text
Thank you!
Robin Chalas
Follow me on Twitter
@chalas_r
Sponsor me on GitHub
@chalasr
ANY QUESTIONS?