Tweet
Tweet

Slide 1

Slide 1 text

JSON Web Tokens Thameera Senanayaka

Slide 2

Slide 2 text

@thameera twitter.com/thameera

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

No content

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

No content

Slide 14

Slide 14 text

No content

Slide 15

Slide 15 text

No content

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

JSON Web Tokens aka JWT

Slide 18

Slide 18 text

RFC 7519 https://tools.ietf.org/html/rfc7519 An open standard for passing claims between two parties

Slide 19

Slide 19 text

JSON Web Token

Slide 20

Slide 20 text

{ "name": "dinesh chandimal", "age": 27, "strengths": [], "weaknesses": ["captaincy"] }

Slide 21

Slide 21 text

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoMH w1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAyZjYi LCJleHAiOjE1MDI5MTkwMTZ9.lmqptC83nKo mEfsgQcmcgOydoJi5j80gOuU2ClWSA0Q

Slide 22

Slide 22 text

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJuY W1lIjoidGhhbWVlcmEiLCJzdWIiOiJhdXRoM Hw1NzFkZmM4NzJmMWQ1ZTU2MDI2NzAy ZjYiLCJleHAiOjE1MDI5MTkwMTZ9.lmqptC8 3nKomEfsgQcmcgOydoJi5j80gOuU2ClWSA0 Q

Slide 23

Slide 23 text

JWT.io

Slide 24

Slide 24 text

Demo

Slide 25

Slide 25 text

Signing algorithms → HMAC → RSA → ECDSA

Slide 26

Slide 26 text

Payload Reserved claims iss, sub, exp, aud, ...

Slide 27

Slide 27 text

How to build a JWT

Slide 28

Slide 28 text

payload { "name": "jon snow", "house": "stark", "sub": "1234" }

Slide 29

Slide 29 text

base64 encode the payload bPayload = base64( payload ) eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIi wic3ViIjoiMTIzNCJ9

Slide 30

Slide 30 text

header { "typ": "JWT", "alg": "HS256" }

Slide 31

Slide 31 text

base64 encode the header bHeader = base64( header ) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Slide 32

Slide 32 text

signature signature = sign( bHeader + '.' + bPayload, secret ) sign( 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJrIiwic3ViIjoiMTIzNCJ9', 'mySecret123' ) bSignature = base64( signature ) TiMShk7JvK4zR3Kn4It5+H8N4KrGdVL3f/ FTw4WTUXM=

Slide 33

Slide 33 text

Add everything together jwt = bHeader.bPayload.bSignature

Slide 34

Slide 34 text

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YX JrIiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4I t5+H8N4KrGdVL3f/FTw4WTUXM=

Slide 35

Slide 35 text

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuY W1lIjoiam9uIHNub3ciLCJob3VzZSI6InN0YXJr Iiwic3ViIjoiMTIzNCJ9.TiMShk7JvK4zR3Kn4It5+ H8N4KrGdVL3f/FTw4WTUXM=

Slide 36

Slide 36 text

Live coding !

Slide 37

Slide 37 text

Is the JWT encrypted?

Slide 38

Slide 38 text

JWTs are signed, not encrypted

Slide 39

Slide 39 text

How does the server know that we didn't mess with the JWT?

Slide 40

Slide 40 text

Don't Reinvent The Wheel JWT libraries are available for almost every language and framework

Slide 41

Slide 41 text

Creating a JWT with jsonwebtoken const jwt = require('jsonwebtoken') const token = jwt.sign({ name: 'thameera' }, 'mySecret123')

Slide 42

Slide 42 text

Verifying a JWT const jwt = require('jsonwebtoken') try { const decoded = jwt.verify(token, 'mySecret123') } catch(e) { console.log('Invalid token!!!') }

Slide 43

Slide 43 text

Advantages of JWTs ! Compact Stateless Scalable Decoupled Cross Domain

Slide 44

Slide 44 text

Sessions vs Tokens Pass by Reference vs Pass by Value

Slide 45

Slide 45 text

Where to go from here?

Slide 46

Slide 46 text

JSON Web Token Specification RFC 7519 https://tools.ietf.org/html/rfc7519

Slide 47

Slide 47 text

JWT Handbook https://goo.gl/HyzEZA

Slide 48

Slide 48 text

Thank you!