Tweet
Tweet

Slide 1

Slide 1 text

JWT, WTF? FullStackCon, 12th July 2017

Slide 2

Slide 2 text

Phil Nash @philnash http:/ /philna.sh [email protected] @philnash

Slide 3

Slide 3 text

ARE YOU READY FOR SOME ABBREVIATIONS?

Slide 4

Slide 4 text

JWT @philnash

Slide 5

Slide 5 text

JSON WEB TOKEN @philnash

Slide 6

Slide 6 text

RFC 7519 @philnash

Slide 7

Slide 7 text

"JOT" @philnash

Slide 8

Slide 8 text

THERE'S MORE

Slide 9

Slide 9 text

JWS JWE JWK JWA @philnash

Slide 10

Slide 10 text

RFCS 7515 7516 7517 7518 @philnash

Slide 11

Slide 11 text

JOSE @philnash

Slide 12

Slide 12 text

RFC 7520 @philnash

Slide 13

Slide 13 text

AAARGH @philnash

Slide 14

Slide 14 text

LET'S START AGAIN

Slide 15

Slide 15 text

JWT, WTF?

Slide 16

Slide 16 text

JWTs • What are they? • What can you use them for? • How do they work? • Pitfalls @philnash

Slide 17

Slide 17 text

WHAT'S A JWT?

Slide 18

Slide 18 text

JWT “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.” @philnash

Slide 19

Slide 19 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

Slide 20

Slide 20 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

Slide 21

Slide 21 text

JWT { "alg": "HS256", "typ": "JWT" } { "sub": "[email protected]" } @philnash

Slide 22

Slide 22 text

@philnash

Slide 23

Slide 23 text

WHAT CAN YOU USE THEM FOR?

Slide 24

Slide 24 text

STATELESS SESSIONS @philnash

Slide 25

Slide 25 text

MICROSERVICE ARCHITECTURE @philnash

Slide 26

Slide 26 text

OPENID CONNECT @philnash

Slide 27

Slide 27 text

CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash

Slide 28

Slide 28 text

HTTPS:/ /BIT.LY/EMOJI-CHAT @philnash

Slide 29

Slide 29 text

HOW DO THEY WORK?

Slide 30

Slide 30 text

CREATING A JWT @philnash

Slide 31

Slide 31 text

CLAIMS @philnash

Slide 32

Slide 32 text

Creating a JWT const header = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "[email protected]" } @philnash

Slide 33

Slide 33 text

Header Claims "typ": "JWT" @philnash

Slide 34

Slide 34 text

Header Claims - Unsecured "alg": "none" @philnash

Slide 35

Slide 35 text

Header Claims - Secured "alg": "HS256" @philnash

Slide 36

Slide 36 text

Payload Claims "iss" - issuer "sub" - subject "aud" - audience "exp" - expires at "nbf" - not before "iat" - issued at "jti" - JWT ID @philnash

Slide 37

Slide 37 text

Payload Claims Anything you want! @philnash

Slide 38

Slide 38 text

Creating a JWT const header = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "[email protected]" } @philnash

Slide 39

Slide 39 text

ENCODE THE HEADER AND PAYLOAD @philnash

Slide 40

Slide 40 text

Base64url encodedHeader = new Buffer(JSON.stringify(header)) .toString('base64') .replace(/=/g, "") .replace(/\+/g, "-") .replace(/\//g, "_"); @philnash

Slide 41

Slide 41 text

Base64url encodedPayload = new Buffer(JSON.stringify(payload)) .toString('base64') .replace(/=/g, "") .replace(/\+/g, "-") .replace(/\//g, "_"); @philnash

Slide 42

Slide 42 text

SIGN THE ENCODED HEADER AND PAYLOAD @philnash

Slide 43

Slide 43 text

HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const signature = hmac.digest('base64'); @philnash

Slide 44

Slide 44 text

The finished JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

Slide 45

Slide 45 text

VERIFYING A JWT @philnash

Slide 46

Slide 46 text

Verifying a JWT [ encodedHeader, encodedPayload, signature ] = jwt.split('.'); @philnash

Slide 47

Slide 47 text

Decode the header const decodedHeader = JSON.parse( new Buffer(encodedHeader, 'base64').toString('ascii') ) @philnash

Slide 48

Slide 48 text

Decode the payload const decodedPayload = JSON.parse( new Buffer(encodedPayload, 'base64').toString('ascii') ) @philnash

Slide 49

Slide 49 text

HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const generatedSignature = hmac.digest('base64'); @philnash

Slide 50

Slide 50 text

Compare secureCompare(signature, generatedSignature); @philnash

Slide 51

Slide 51 text

JWT Playground https:/ /jwt.io @philnash

Slide 52

Slide 52 text

Finally, check the claims new Date(decodedPayload['exp']) < new Date(); @philnash

Slide 53

Slide 53 text

PITFALLS

Slide 54

Slide 54 text

DATA IS PUBLIC @philnash

Slide 55

Slide 55 text

SIGNING ALGORITHM @philnash

Slide 56

Slide 56 text

JWT { "alg": "HS256", "typ": "JWT" } { "sub": "[email protected]" } @philnash

Slide 57

Slide 57 text

JWT { "alg": "none" , "typ": "JWT" } { "sub": "[email protected]" } @philnash

Slide 58

Slide 58 text

ALWAYS VERIFY WITH AN EXPECTED ALGORITHM @philnash

Slide 59

Slide 59 text

PUBLIC KEYS AND ENCRYPTION @philnash

Slide 60

Slide 60 text

WHAT CAN YOU USE THEM FOR?

Slide 61

Slide 61 text

STATELESS SESSIONS @philnash

Slide 62

Slide 62 text

Stateless sessions - revocation • exp claim - token expiry time • Without state, you can't revoke individual tokens except by expiry • Requires a blacklist of revoked tokens to check against @philnash

Slide 63

Slide 63 text

Stateless sessions - storage • Cookies • ensure you have CSRF protection • localStorage • vulnerable to XSS • requires JS to store and insert as an Authentication header @philnash

Slide 64

Slide 64 text

MICROSERVICE ARCHITECTURE @philnash

Slide 65

Slide 65 text

Microservice architecture • Authentication server signs tokens with private key • Other servers can verify with public key @philnash

Slide 66

Slide 66 text

OPENID CONNECT @philnash

Slide 67

Slide 67 text

CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash

Slide 68

Slide 68 text

JWT, WTF?

Slide 69

Slide 69 text

JWT “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.” @philnash

Slide 70

Slide 70 text

JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiJwaGlsbmFzaEB0d2lsaW8uY29tIn0. l9vi8Dt8Pds3QTBqNMnQGU0wDDWDv46RFIcqeOIPqDk @philnash

Slide 71

Slide 71 text

@philnash

Slide 72

Slide 72 text

JWT, WTF? • https:/ /jwt.io • RFC 7519 • JWTs VS Sessions • Stop using JWT for sessions • Use JWT the Right Way @philnash

Slide 73

Slide 73 text

THANKS!

Slide 74

Slide 74 text

Thanks! @philnash http:/ /philna.sh [email protected] @philnash