REST Authentication with JWT

Slide 1

Slide 1 text

REST Authen,ca,on with JWT { REST Authen-ca-on with JWT } - @ianaya89 1

Slide 2

Slide 2 text

! Nacho Anaya @ianaya89 • Full Stack Developer, Tech Trainer & Speaker • Ambassador @Auth0 • Organizer @Vuenos_Aires { REST Authen-ca-on with JWT } - @ianaya89 2

Slide 3

Slide 3 text

{ REST Authen-ca-on with JWT } - @ianaya89 3

Slide 4

Slide 4 text

! Why token authen,ca,on? { REST Authen-ca-on with JWT } - @ianaya89 4

Slide 5

Slide 5 text

! Why token authen,ca,on? > Stateless { REST Authen-ca-on with JWT } - @ianaya89 5

Slide 6

Slide 6 text

! Why token authen,ca,on? > Decoupled { REST Authen-ca-on with JWT } - @ianaya89 6

Slide 7

Slide 7 text

! Why token authen,ca,on? > Scalable { REST Authen-ca-on with JWT } - @ianaya89 7

Slide 8

Slide 8 text

! Why JWT? { REST Authen-ca-on with JWT } - @ianaya89 8

Slide 9

Slide 9 text

! Why JWT? > Standard RFC 7519 { REST Authen-ca-on with JWT } - @ianaya89 9

Slide 10

Slide 10 text

! Why JWT? > Self Contained { REST Authen-ca-on with JWT } - @ianaya89 10

Slide 11

Slide 11 text

! Why JWT? > Compact { REST Authen-ca-on with JWT } - @ianaya89 11

Slide 12

Slide 12 text

! Why JWT? > Signed HMAC - RSA - ECDSA { REST Authen-ca-on with JWT } - @ianaya89 12

Slide 13

Slide 13 text

! Why JWT? > JSON { REST Authen-ca-on with JWT } - @ianaya89 13

Slide 14

Slide 14 text

! What is JWT? { REST Authen-ca-on with JWT } - @ianaya89 14

Slide 15

Slide 15 text

! What is JWT? header.payload.signature + Base64 { REST Authen-ca-on with JWT } - @ianaya89 15

Slide 16

Slide 16 text

! What is JWT? { REST Authen-ca-on with JWT } - @ianaya89 16

Slide 17

Slide 17 text

! Header { "alg": "HS256", "typ": "JWT" } { REST Authen-ca-on with JWT } - @ianaya89 17

Slide 18

Slide 18 text

! Payload { "id": "1234567890", "name": "John Doe", "admin": true, "iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 18

Slide 19

Slide 19 text

! Payload { "id": "1234567890", "name": "John Doe", "admin": true, "iss": "https://api.com", "exp": 1510745797148 } { REST Authen-ca-on with JWT } - @ianaya89 19

Slide 20

Slide 20 text

✍ Signature const data = base64urlEncode( header ) + '.' + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 20

Slide 21

Slide 21 text

✍ Signature const data = base64urlEncode( header ) + '.' + base64urlEncode( payload ) HMACSHA256(data, 'your_secret_message') { REST Authen-ca-on with JWT } - @ianaya89 21

Slide 22

Slide 22 text

{ REST Authen-ca-on with JWT } - @ianaya89 22

Slide 23

Slide 23 text

! When to use it? { REST Authen-ca-on with JWT } - @ianaya89 23

Slide 24

Slide 24 text

! When to use it? > Authen)ca)on > Informa*on Exchange { REST Authen-ca-on with JWT } - @ianaya89 24

Slide 25

Slide 25 text

! Where to use it? { REST Authen-ca-on with JWT } - @ianaya89 25

Slide 26

Slide 26 text

! Where to use it? SPA's - Mobile Serverless - IoT { REST Authen-ca-on with JWT } - @ianaya89 26

Slide 27

Slide 27 text

{ REST Authen-ca-on with JWT } - @ianaya89 27

Slide 28

Slide 28 text

! { REST Authen-ca-on with JWT } - @ianaya89 28

Slide 29

Slide 29 text

! REST API's { REST Authen-ca-on with JWT } - @ianaya89 29

Slide 30

Slide 30 text

! How does it work with REST? { REST Authen-ca-on with JWT } - @ianaya89 30

Slide 31

Slide 31 text

{ REST Authen-ca-on with JWT } - @ianaya89 31

Slide 32

Slide 32 text

! How does it work with REST? 1. Sends Creden+als POST /login { "user": "ianaya89", "password": "dont-hack-me" } { REST Authen-ca-on with JWT } - @ianaya89 32

Slide 33

Slide 33 text

! How does it work with REST? 2. Creates JWT const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 33

Slide 34

Slide 34 text

! How does it work with REST? 3. Returns JWT const jwt = require('jsonwebtoken') // POST /login function login (req, res, next) { // Validates user credentials... const payload = { user: 'ianaya89', role: 'admin' } const token = jwt.sign(payload, 'this_is_super_secret') res.status(201).send({ token: `Bearer ${token}` }) } router.post('/login', login) { REST Authen-ca-on with JWT } - @ianaya89 34

Slide 35

Slide 35 text

! How does it work with REST? 4. Gets a resource GET /resource Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkiLCJuYW1lIjoiSm9obiBEb2UiLCJhZG1pbiI6ZmFsc2V9. b99O1RrYbHtWJ3MGZXkdADZkmiLm9HNliRccKxMPDuc { REST Authen-ca-on with JWT } - @ianaya89 35

Slide 36

Slide 36 text

! How does it work with REST? 5. Veriﬁes token const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 36

Slide 37

Slide 37 text

! How does it work with REST? 6. Sends response const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 37

Slide 38

Slide 38 text

! How does it work with REST? 6. Sends response const jwt = require('jsonwebtoken') // GET /resource function getResource (req, res, next) { try { const payload = jwt.verify(token, 'this_is_super_secret') if (payload.role !== 'admin') { return res.sendStatus(403) } res.send(' ! ') } catch (err) { return res.sendStatus(401) } } router.get('/resource', getResource) { REST Authen-ca-on with JWT } - @ianaya89 38

Slide 39

Slide 39 text

! Which languages are supported? { REST Authen-ca-on with JWT } - @ianaya89 39

Slide 40

Slide 40 text

! Which languages are supported? > "All" of them { REST Authen-ca-on with JWT } - @ianaya89 40

Slide 41

Slide 41 text

{ REST Authen-ca-on with JWT } - @ianaya89 41

Slide 42

Slide 42 text

! Is JWT secure? { REST Authen-ca-on with JWT } - @ianaya89 42

Slide 43

Slide 43 text

! { REST Authen-ca-on with JWT } - @ianaya89 43

Slide 44

Slide 44 text

! Is JWT secure? ! Yes { REST Authen-ca-on with JWT } - @ianaya89 44

Slide 45

Slide 45 text

! Is JWT secure? ! But... { REST Authen-ca-on with JWT } - @ianaya89 45

Slide 46

Slide 46 text

{ REST Authen-ca-on with JWT } - @ianaya89 46

Slide 47

Slide 47 text

! Is JWT secure? > Anyone can view the content { REST Authen-ca-on with JWT } - @ianaya89 47

Slide 48

Slide 48 text

! Is JWT secure? > No one can modify it { REST Authen-ca-on with JWT } - @ianaya89 48

Slide 49

Slide 49 text

! Is JWT secure? > JWT is signed not ecnrpyted { REST Authen-ca-on with JWT } - @ianaya89 49

Slide 50

Slide 50 text

! Is JWT secure? > Keep your "secret" secret { REST Authen-ca-on with JWT } - @ianaya89 50

Slide 51

Slide 51 text

! Resources • jwt.io • jwt-handbook • demo-auth-jwt-api { REST Authen-ca-on with JWT } - @ianaya89 51

Slide 52

Slide 52 text

! { REST Authen-ca-on with JWT } - @ianaya89 52

Slide 53

Slide 53 text

! Thanks! @ianaya89 bit.ly/rest-auth-jwt { REST Authen-ca-on with JWT } - @ianaya89 53