JSON Web Tokens in a microservice architecture (PHPBenelux)

Slide 1

Slide 1 text

JSON WEB TOKENS JENS SEGERS

Slide 2

Slide 2 text

No content

Slide 3

Slide 3 text

No content

Slide 4

Slide 4 text

GITHUB PACKAGES • jenssegers/op+mus - ID obfusca+on • jenssegers/agent - User agent parsing, mobile & bot detec+on • jenssegers/date - Localized dates • jenssegers/imagehash - Perceptual image hashes

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

JSON WEB TOKENS AKA. JWT

Slide 7

Slide 7 text

JSON WEB TOKENS AKA. JWT AKA. JOT?

Slide 8

Slide 8 text

JWT, WHAT? JSON Web Token is an open standard that deﬁnes a compact and self-contained way for securely transmi>ng informa@on between par@es as a JSON object

Slide 9

Slide 9 text

JWT, WHAT? JSON Web Token is an open standard that deﬁnes a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object

Slide 10

Slide 10 text

JWT EXAMPLE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Slide 11

Slide 11 text

JWT EXAMPLE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ 1. Header 2. Payload 3. Signature

Slide 12

Slide 12 text

HEADER eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "alg": "HS256", "typ": "JWT" }

Slide 13

Slide 13 text

PAYLOAD (CLAIMS) eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ { "iss": "acme.com" "sub": "1234567890", "exp": 1483711650, "name": "John Doe", "admin": true }

Slide 14

Slide 14 text

SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ hash_hmac( 'sha256', base64_encode(header).'.'.base64_decode(payload), 'secret-passphrase' )

Slide 15

Slide 15 text

SIGNATURE eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ openssl_sign( base64_encode(header).'.'.base64_decode(payload), $signature, openssl_pkey_get_private('file://key.pem'), OPENSSL_ALGO_SHA256 )

Slide 16

Slide 16 text

SIGNATURE PURPOSE It provides proof of authen'city and integrity for the JWT data.

Slide 17

Slide 17 text

CRYPTOGRAPHY 101

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

No content

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

SYMMETRIC SIGNATURES • All par(es involved share a secret key • The sender calculates the signature using the secret key • The receiver re-calculates the signature and compares it with the received signature

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

No content

Slide 24

Slide 24 text

ASYMMETRIC SIGNATURES • The sender shares his public key with the receiver • The sender calculates the signature by hashing the data and encryp7ng it with his private key • The receiver validates the signature by decryp7ng the signature with the public key and compares the result with the original message

Slide 25

Slide 25 text

SIGNATURE RECAP • Authen'city: Only trusted par0es can generate and verify signatures • Integrity: You can't change the JWT data without regenera0ng a new signature • No secrecy! Alterna0ve: JSON Web Encryp0on (JWE)

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

USE CASES

Slide 28

Slide 28 text

JWT, WHAT? JSON Web Token is an open standard that deﬁnes a compact and self-contained way for securely transmi.ng informa2on between par2es as a JSON object

Slide 29

Slide 29 text

INFORMATION EXCHANGE

Slide 30

Slide 30 text

INFORMATION EXCHANGE POST /transfer { "to": "171RaSzy9GYHCA8TuLYN5mwTWs3nnARfMZ", "amount": 1, "currency": "BTC" } POST /transfer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJ0byI6IjE3MVJhU3p5OUdZSENBOFR1TFlONW13VFdzM25uQVJmTVoiLCJhbW91bnQiOjF9. MW_K5DZTYCJADOp9ArTKIwB8m4knAG-Pdv_V9xXId2I

Slide 31

Slide 31 text

TEMPORARY LINKS public.acme.com/mQsh79zqGb9pxGz2...

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

TEMPORARY LINKS { "sub": 1234567890, "exp": 1483711650, "version": 1 } eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwiZXhwIjoxNDgzNzExNjUwfQ. NkHLOdRpIcDahCuJyRpOEUwebxWcs4LobzCksk1z_lc

Slide 34

Slide 34 text

STATELESS AUTHENTICATION

Slide 35

Slide 35 text

BUT FIRST ... WHAT IS STATEFUL AUTHENTICATION?

Slide 36

Slide 36 text

STATEFUL AUTHENTICATION 1. User submits creden0als 2. Server generate a unique session id 3. Session informa0on is stored server side 4. Responds with cookie containing session id 5. On every request the session and user data is fetched from the database/redis

Slide 37

Slide 37 text

STATEFUL AUTHENTICATION • Cookies are bad for caching • Cookies are bad for CORS • Servers need a shared session storage • Servers needs to query the storage to verify and get user/session informa

Slide 38

Slide 38 text

HELLO 2018

Slide 39

Slide 39 text

STATELESS AUTHENTICATION WITH JWT

Slide 40

Slide 40 text

STATELESS AUTHENTICATION WITH JWT 1. User submits creden0als 2. (Authen0ca0on) Server response with a JWT iden0fying the user 3. On every request the client sends the received JWT in the Authoriza0on header 4. The server veriﬁes the JWT by checking the signature

Slide 41

Slide 41 text

OAUTH2?

Slide 42

Slide 42 text

No content

Slide 43

Slide 43 text

OAUTH2 AND JWT JWT access tokens containing user iden2ﬁer and scopes. { "iss": "teamleader", "sub": "423523:534534", "exp": 1483711650, "iat": 1483708050, "scopes": ["companies", "contacts"] }

Slide 44

Slide 44 text

ADVANTAGES • No need for an access token table • The client can check if the token is expired • No database calls to validate the access token, get the user id, scopes, ... • Possibility to have shared tokens across mul>ple micro-services

Slide 45

Slide 45 text

No content

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

DISADVANTAGES • Access tokens can't easily be revoked, unless you keep a list of tokens to revoke • Best prac9ce to have short TTL • The more embedded data, the bigger the JWT. No ﬁxed size. • Not encrypted, unless you use JWE • Token data can go stale

Slide 48

Slide 48 text

PHP PACKAGES • league/oauth2-server • lcobucci/jwt • ﬁrebase/php-jwt

Slide 49

Slide 49 text

MIDDLEWARE EXAMPLE $token = $this->getBearerTokenFromRequest($request); $jwt = (new \Lcobucci\JWT\Parser())->parse($token); if (!$jwt->verify(new \Lcobucci\JWT\Signer\Hmac\Sha256(), 'secret')) { throw new BadRequestException('Invalid token'); } $identifier = $jwt->getClaim('sub'); $scopes = $jwt->getClaim('scopes');

Slide 50

Slide 50 text

JWT AT TEAMLEADER • JWT OAuth2 access tokens, RSA signed (league/oauth2-server) • Separated OAuth2 micro-service, accept access tokens across micro-services API's • Temporary access links • Store JWT data in cookie for some small micro-services

Slide 51

Slide 51 text

Ques%ons?