GENERATE A RANDOM AUTH TOKEN
class User
before_save :generate_auth_token
def generate_auth_token
loop do
self.auth_token = Devise.friendly_token
break if User.find_by_auth_token(auth_token).nil?
end
end
end
Slide 8
Slide 8 text
PROBLEMS WITH THE SINGLE
ACCESS TOKEN APPROACH
Slide 9
Slide 9 text
STORING IT IN PLAIN TEXT
Slide 10
Slide 10 text
Is it the same as storing passwords in plain text?
ALMOST.
Slide 11
Slide 11 text
Passwords
• when compromised are difficult to change
• reveal information about people who created them
• people use them across several services
Slide 12
Slide 12 text
Authentication Tokens
• auto-generated, random, unique (not shared
across multiple services).
• when compromised can be renewed easily with
little user inconvenience
Slide 13
Slide 13 text
NAIVE IMPLEMENTATIONS
NEVER EXPIRE THEM
Slide 14
Slide 14 text
03
SINGLE HASHED ACCESS
TOKEN PER USER
Slide 15
Slide 15 text
NOT STORING IT IN PLAIN
TEXT
Slide 16
Slide 16 text
PROBLEMS WITH THE SINGLE
HASHED ACCESS TOKEN
APPROACH
Slide 17
Slide 17 text
BROWSER
SERVER
EM
AIL=DAM
IR@
EXAM
PLE.COM
&PASSW
ORD=PASS123
ACCESS_TOKEN=RAND0M
$TR1N6
EM
AIL=DAM
IR@
EXAM
PLE.COM
&PASSW
ORD=PASS123
MOBILE
ACCESS_TOKEN=ANOTHER-RAND0M
$TR1N6
Slide 18
Slide 18 text
04
MULTIPLE HASHED ACCESS
TOKENS PER USER
Slide 19
Slide 19 text
MAINTAINING A SEPARATE
TABLE OF ACCESS TOKENS
Slide 20
Slide 20 text
COMPLICATING TOO
MUCH..
Slide 21
Slide 21 text
ROLLING YOUR OWN
AUTHENTICATION SYSTEM
Slide 22
Slide 22 text
01
WHO ARE WE?
Slide 23
Slide 23 text
WHY DON’T WE TRY TO DO
THE SAME THING AS RAILS
APPS REGULARLY DO?
Slide 24
Slide 24 text
05
RAILS SESSION STORAGE
Slide 25
Slide 25 text
session[:user_id] = current_user.id
Slide 26
Slide 26 text
CLIENT
SERVER
[email protected]&PASSWORD=PASS123
SET-COOKIE: PRODUCTIVE_SESSION=23OFSKL932RDASDAFSFJ23
Slide 27
Slide 27 text
User.find(session[:user_id])
Slide 28
Slide 28 text
STATELESS
Slide 29
Slide 29 text
WE COULD DO SOMETHING
SIMILAR…
…OR FOLLOW AN INDUSTRY
STANDARD
Slide 30
Slide 30 text
06
JSON WEB TOKENS
Slide 31
Slide 31 text
JSON Web Tokens are an open,
industry standard method for
representing claims securely between
two parties.
Slide 32
Slide 32 text
CLIENT
SERVER
[email protected]&PASSWORD=PASS123
ACCESS_TOKEN=33WE.DAS3Q.ADAS
Slide 33
Slide 33 text
TO THE API CONSUMER IT
CAN LOOK RANDOM..
BUT IT’S MUCH MORE
iss: The issuer of the token
sub: The subject of the token
aud: The audience of the token
exp: This will define the expiration in NumericDate
value.
nbf: Defines the time before which the JWT MUST NOT be
accepted for processing
iat: The time the JWT was issued. Can be used to
determine the age of the JWT
BODY CLAIMS
Slide 43
Slide 43 text
eyJpc3MiOiJzY290Y2guaW8iLCJleHAiOjE
BASE64 ENCODED BODY