Tweet
Tweet

Slide 1

Slide 1 text

Death to Cookies Long Live JSON Web Tokens

Slide 2

Slide 2 text

CTO & Founder Auth0 @woloski @mgonto Dev Advocate Auth0

Slide 3

Slide 3 text

Identity made simple for developers

Slide 4

Slide 4 text

The Following SESSION is Rated R for Live Coding on Stage it has been approved for ALL Developers

Slide 5

Slide 5 text

Authentication for Modern Applications using Tokens angular-­‐storage
 angular-­‐jwt   jwt-­‐decode

Slide 6

Slide 6 text

Browser Web Server auth C C Most of the web

Slide 7

Slide 7 text

Browser Web Server (PHP) Realtime (Node) C M modern apps

Slide 8

Slide 8 text

Browser Web Server (PHP) Realtime (Node) C M Cookies are coupled to the web framework modern apps

Slide 9

Slide 9 text

Browser Web Server (PHP) Realtime (Node) C M API (Node) A Phones Tablets A modern apps

Slide 10

Slide 10 text

Browser Web Server (PHP) Realtime (Node) C M API (Node) A APIs don’t use Cookies Phones Tablets A modern apps

Slide 11

Slide 11 text

Browser Web Server (PHP) Realtime (Node) C M API (Ruby) API (Node) A A Phones Tablets A modern apps

Slide 12

Slide 12 text

Browser Web Server (PHP) Realtime (Node) C M API (Ruby) API (Node) A A AWS S3 S Phones Tablets A modern apps

Slide 13

Slide 13 text

Browser Web Server (Python) Realtime (Node) C M API (Ruby) API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps

Slide 14

Slide 14 text

A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30

Slide 15

Slide 15 text

auth0/angularjs-jwt-authentication-tutorial Demo time! auth0/spa-jwt-authentication-tutorial

Slide 16

Slide 16 text

TouchID Ask User to Login with TouchID Is Private Key on KeyChain? Generate Key Pair and store in KeyChain Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No

Slide 17

Slide 17 text

auth0/TouchIDAuth pod “TouchIDAuth”

Slide 18

Slide 18 text

Browser modern apps Web Server (Python) Realtime (Node) API (Ruby) API (Node) AWS S3 Phones Tablets

Slide 19

Slide 19 text

Win a Drone with JWTs! auze.ro/win-drone

Slide 20

Slide 20 text

T-shirts Bitcoins Stickers Drones Thanks!

Slide 21

Slide 21 text

Appendix

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

Token expires, deal with refresh

Slide 25

Slide 25 text

Confidential info, encrypt it

Slide 26

Slide 26 text

Social auth

Slide 27

Slide 27 text

Tokens can get big Don’t over engineer Don’t do fine grained permissions Define scopes

Slide 28

Slide 28 text

How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests (single URI authorization)