Tweet
Tweet

Slide 1

Slide 1 text

Make your SPA a maximum security prison

Slide 2

Slide 2 text

@mgonto Dev Advocate Auth0

Slide 3

Slide 3 text

Identity made simple for developers

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

Client Database 1990’s Client Server Life was easy

Slide 6

Slide 6 text

Client Database auth 1990’s Client Server Life was easy

Slide 7

Slide 7 text

Client Database auth persistent connection 1990’s Client Server Life was easy

Slide 8

Slide 8 text

Workstation Browser Database 2000’s Intranet Life inside corp

Slide 9

Slide 9 text

Workstation Browser Database 2000’s Intranet Active Directory Life inside corp

Slide 10

Slide 10 text

Workstation Browser Database auth 2000’s Intranet Active Directory Life inside corp

Slide 11

Slide 11 text

Workstation Browser Database auth 2000’s Intranet Active Directory kerberos token Life inside corp

Slide 12

Slide 12 text

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory kerberos token Life inside corp

Slide 13

Slide 13 text

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory kerberos token Life inside corp

Slide 14

Slide 14 text

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory kerberos token Life inside corp

Slide 15

Slide 15 text

Workstation Browser Database auth 2000’s Intranet Web Server Active Directory kerberos token Life inside corp

Slide 16

Slide 16 text

Workstation Browser Database Internet Web Server auth C C E-commerce

Slide 17

Slide 17 text

Browser Server

Slide 18

Slide 18 text

Browser Server 1. POST /users/login with username and password

Slide 19

Slide 19 text

Browser Server 1. POST /users/login with username and password 2. Creates a User session

Slide 20

Slide 20 text

Browser Server 1. POST /users/login with username and password 2. Creates a User session 3. Returns a logged in cookie to the browser

Slide 21

Slide 21 text

Browser Server 1. POST /users/login with username and password 2. Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie.

Slide 22

Slide 22 text

Browser Server 1. POST /users/login with username and password 2. Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user

Slide 23

Slide 23 text

Browser Server 1. POST /users/login with username and password 2. Creates a User session 3. Returns a logged in cookie to the browser 4. Do an authenticated request. Sends the cookie. 5. Check the session based on the cookie and authenticate the user 6. Sends response to the client

Slide 24

Slide 24 text

Browser Database Today’s applications Web Server (Scala) API (Ruby) API (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

Slide 25

Slide 25 text

Cookie-based auth is a sub- optimal solution for today’s systems

Slide 26

Slide 26 text

Cookies don’t play well with CORS and different domains 1

Slide 27

Slide 27 text

Cookie-based auth keep state in server side session (mongo, redis, etc.)* 2 *default config. Cookie only is possible (Play, Rails)

Slide 28

Slide 28 text

Cookies are coupled to the web framework If you try to reuse a cookie issued by Java in Node, not easy 3

Slide 29

Slide 29 text

APIs don’t use cookies 4

Slide 30

Slide 30 text

Cookies don’t play well with native apps 5

Slide 31

Slide 31 text

Cookies lead to CSRF attacks       document.csrf.submit(); 6

Slide 32

Slide 32 text

… and other security issues 7 https://github.com/blog/1466-yummy-cookies-across-domains http://arstechnica.com/business/2010/09/evercookie-escalates-the-zombie-cookie-war-by-raising-awareness/

Slide 33

Slide 33 text

Cookies can’t be used for delegated authentication (identity does not flow) 8

Slide 34

Slide 34 text

A better approach

Slide 35

Slide 35 text

A better approach Token-based Authentication

Slide 36

Slide 36 text

A better approach Token-based Authentication JSON Web Tokens

Slide 37

Slide 37 text

Browser Server

Slide 38

Slide 38 text

Browser Server 1. POST /users/login with username and password

Slide 39

Slide 39 text

Browser Server 1. POST /users/login with username and password 2. Creates a token and saves it in the User table

Slide 40

Slide 40 text

Browser Server 1. POST /users/login with username and password 2. Creates a token and saves it in the User table 3. Returns the Token to the Browser

Slide 41

Slide 41 text

Browser Server 1. POST /users/login with username and password 2. Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header.

Slide 42

Slide 42 text

Browser Server 1. POST /users/login with username and password 2. Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user

Slide 43

Slide 43 text

Browser Server 1. POST /users/login with username and password 2. Creates a token and saves it in the User table 3. Returns the Token to the Browser 4. Sends the Token on the Authorization Header. 5. Query user DB for a user with this token. Authenticate user 6. Sends response to the client

Slide 44

Slide 44 text

How it works?

Slide 45

Slide 45 text

Browser Server

Slide 46

Slide 46 text

Browser Server 1. POST /users/login with username and password

Slide 47

Slide 47 text

Browser Server 1. POST /users/login with username and password 2. Creates a JWT with a secret

Slide 48

Slide 48 text

Browser Server 1. POST /users/login with username and password 2. Creates a JWT with a secret 3. Returns the JWT to the Browser

Slide 49

Slide 49 text

Browser Server 1. POST /users/login with username and password 2. Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header.

Slide 50

Slide 50 text

Browser Server 1. POST /users/login with username and password 2. Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT.

Slide 51

Slide 51 text

Browser Server 1. POST /users/login with username and password 2. Creates a JWT with a secret 3. Returns the JWT to the Browser 4. Sends the JWT on the Authorization Header. 5. Check JWT signature. Get user information from the JWT. 6. Sends response to the client

Slide 52

Slide 52 text

Tokens must be stored somewhere in the client 1

Slide 53

Slide 53 text

Tokens can expire like cookies, but you have more control 2

Slide 54

Slide 54 text

Token expires, deal with refresh

Slide 55

Slide 55 text

CORS Preflight requests shouldn’t check the Authorization header. 3

Slide 56

Slide 56 text

When you need to stream something, use the token to get a signed request 4

Slide 57

Slide 57 text

Try token-based authentication in your next project

Slide 58

Slide 58 text

auth0/angularjs-jwt-authentication-tutorial See an example!

Slide 59

Slide 59 text

Thanks! @mgonto

Slide 60

Slide 60 text

Appendix

Slide 61

Slide 61 text

Confidential info, encrypt it

Slide 62

Slide 62 text

Social auth

Slide 63

Slide 63 text

Tokens can get big Don’t over engineer Don’t do fine grained permissions Define scopes

Slide 64

Slide 64 text

How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests (single URI authorization)