GITHUB PACKAGES
• jenssegers/op+mus - ID obfusca+on
• jenssegers/agent - User agent parsing, mobile & bot detec+on
• jenssegers/date - Localized dates
• jenssegers/imagehash - Perceptual image hashes
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
teamleader.eu/jobs
Slide 7
Slide 7 text
JSON WEB TOKENS
AKA. JWT
Slide 8
Slide 8 text
JWT, WHAT?
JSON Web Token is an open standard that defines a compact and
self-contained way for securely transmi>ng informa@on between
par@es as a JSON object
Slide 9
Slide 9 text
JWT, WHAT?
JSON Web Token is an open standard that defines a compact and
self-contained way for securely transmi.ng informa2on between
par2es as a JSON object
Slide 10
Slide 10 text
JWT EXAMPLE
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
SIGNATURE PURPOSE
• Signatures are calculated using symmetric or asymmetric
cryptography.
• It provides proof of authen'city and integrity for the JWT data.
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
SYMMETRIC SIGNATURES (HMAC)
• Both par*es share a secret key
• The sender calculates the signature using the secret key
• The receiver re-calculates the signature and compares it with the
received signature
Slide 18
Slide 18 text
ASYMMETRIC SIGNATURES (RSA)
• The sender shares his public key with the receiver
• The sender calculates the signature by hashing the data and
encryp7ng it with his private key
• The receiver validates the signature by decryp7ng the signature
with the public key of the sender and compare the hash
Slide 19
Slide 19 text
SIGNATURE PURPOSE
• Authen'city: Only par+es with the secret key can generate a
valid signature
• Integrity: You can't change the JWT data without regenera+ng a
new signature
• No secrecy! Alterna+ve: JSON Web Encryp+on (JWE)
Slide 20
Slide 20 text
JWT.IO
Slide 21
Slide 21 text
USE CASES
Slide 22
Slide 22 text
JWT, WHAT?
JSON Web Token is an open standard that defines a compact and
self-contained way for securely transmi.ng informa2on between
par2es as a JSON object
Slide 23
Slide 23 text
INFORMATION EXCHANGE
Slide 24
Slide 24 text
INFORMATION EXCHANGE
POST /transfer
{
"to": "171RaSzy9GYHCA8TuLYN5mwTWs3nnARfMZ",
"amount": 1,
"currency": "BTC"
}
POST /transfer
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJ0byI6IjE3MVJhU3p5OUdZSENBOFR1TFlONW13VFdzM25uQVJmTVoiLCJhbW91bnQiOjF9.
MW_K5DZTYCJADOp9ArTKIwB8m4knAG-Pdv_V9xXId2I
Slide 25
Slide 25 text
STATELESS AUTHENTICATION
Slide 26
Slide 26 text
BUT FIRST ...
WHAT IS STATEFUL AUTHENTICATION?
Slide 27
Slide 27 text
STATEFUL AUTHENTICATION
1. User submits creden0als
2. Server generate a unique session id
3. Session informa0on is stored server side
4. Responds with cookie containing session id
5. On every request the session and user data is fetched from the
database/redis
Slide 28
Slide 28 text
STATEFUL AUTHENTICATION
• Cookies are bad for caching
• Cookies are bad for CORS
• Servers need a shared session storage
• Servers needs to query the storage to verify and get user/session
informa
Slide 29
Slide 29 text
HELLO 2017 !
Slide 30
Slide 30 text
STATELESS AUTHENTICATION
WITH JWT
Slide 31
Slide 31 text
STATELESS AUTHENTICATION WITH JWT
1. User submits creden0als
2. Server response with a JWT iden0fying the user
3. On every request the client sends the received JWT in the
Authoriza0on header
4. The server verifies the JWT by checking the signature
Slide 32
Slide 32 text
OAUTH2?
Slide 33
Slide 33 text
No content
Slide 34
Slide 34 text
OAUTH2 AND JWT
JWT access tokens containing user iden2fier and scopes.
{
"iss": "teamleader",
"sub": "423523:534534",
"exp": 1483711650,
"iat": 1483708050,
"scopes": ["companies", "contacts"]
}
Slide 35
Slide 35 text
ADVANTAGES
• No need for an access token table
• No database calls to validate the access token, get the user id,
scopes, ...
• Possibility to have shared tokens across mul
Slide 36
Slide 36 text
DISADVANTAGES
• Access tokens can't easily be revoked, unless you keep a list of
tokens to revoke
• Best prac9ce to have short TTL
• The more embedded data, the bigger the JWT. No fixed size.
• Not encrypted, unless you use JWE
• Token data can go stale
MIDDLEWARE EXAMPLE
$token = $this->getBearerTokenFromRequest($request);
$jwt = (new \Lcobucci\JWT\Parser())->parse($token);
if (!$jwt->verify(new \Lcobucci\JWT\Signer\Hmac\Sha256(), 'secret')) {
throw new BadRequestException('Invalid token');
}
$identifier = $jwt->getClaim('sub');
$scopes = $jwt->getClaim('scopes');
Slide 39
Slide 39 text
JWT AT TEAMLEADER
• JWT OAuth2 access tokens, RSA signed (league/oauth2-server)
• Separated OAuth2 micro-service, accept access tokens across
micro-services API's
• Marketplace shares user informaGon between frond/back-end
using a JWT