Authentication with JSON Web Tokens

Transcript

1. Authentication with JSON Web Tokens by Anton Egorov April 2017

2. Who am I? • Software Engineer with 10 years of

   experience • Working on Web and Mobile project • Scripting mostly with Python and JavaScript • CTO and Founder at sabaka.io

3. Never heard about JWT before?

4. It’s ok, no shame

5. Alternatives you used before

6. Cookie-based Auth POST /auth?user=…&pass=… Set-Cookie: session=… GET /api; Cookie: session=…

   HTTP OK new session find session Client app.example.com Server app.example.com

7. Whats wrong with Cookies? • Cookies could be stolen and

   used for authentication until they expire some day • Its hard to invalidate sessions • You have to manage and scale session storage for your web servers • You have to configure CORS for your API requests if they are on a different domain

8. Self-managed API keys • You can issue an manage some

   sort of API keys for your clients manually • You have to do everything from scratch: issuing, authorization, expiration, invalidation • You key will be just an authentication token

9. There is a better way

10. JSON Web Token • Three parts separated by dots: Header,

    Payload, Signature • Header typically has a token type and an algorithm being used (HMAC SHA256 or RSA) • Payload contains claims, reserved (iat, exp, nbf, iss, aud) and custom (e.g. name, email) • Signature is a concatenation of an encoded header and a payload plus a secret signed by an algorithm specified in the header

11. Header { "alg": "HS256", "typ": "JWT" } eyJhbGciOiJIUzI1NiIsInR5 cCI6IkpXVCJ9 base64

    encode

12. Payload { "exp": "1492714800000", "name": "Anton Egorov", "uid": "c2F0eXJpdXMK" }

    eyJuYW1lIjoiQW50b24gRWdvcm92Iiwi ZXhwIjoxNDkyNzE0ODAwMDAwLCJhZG1p biI6dHJ1ZX0 base64 encode

13. Signature HMAC_SHA256( urlsafe_b64encode(header) + '.' + urlsafe_b64encode(payload), 'my_secret' ) x3kAwPPiHtO6YQLE4otr917BOvwYUY_L

    h7NKZQKaB6o base64 encode

14. Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpX VCJ9.eyJuYW1lIjoiQW50b24gRWdvcm9 2IiwiZXhwIjoxNDkyNzE0ODAwMDAwLCJ hZG1pbiI6dHJ1ZX0.x3kAwPPiHtO6YQL E4otr917BOvwYUY_Lh7NKZQKaB6o

15. PyJWT import jwt payload = { 'exp': 1492714800000, 'name': 'Anton

    Egorov', 'uid': 'c2F0eXJpdXMK', } key = 'my_secret' jwt.encode(payload, key, algorithm='HS256')

16. Application

17. JWT-based Auth POST /auth?user=…&pass=… {"token": "eyJhbGciOi…"} GET /api; Authentication: eyJhbGciOi…

    HTTP OK new token validate token Client app.example.com Server api.example.com

18. What’s the difference? • No Cookies means you don’t need

    to care about CORS and CSRF • Stateless, no session storage management • Mobile ready

19. More advantages • Self-contained. The payload contains all the required

    information about the user. • Compact. Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside a HTTP header. • Secure. Information can be verified and trusted because it is cryptographically signed.

20. Steps to implement • Endpoint to get a new JWT

    • Auth framework should accept Authentication header with JWT (e.g. create a middleware) • Take care of invalidation for long-live tokens

21. Get ready for Production

22. How to Secure JWT • Always verify the signature and

    claims (e.g exp) before you trust any information in the JWT. PyJWT does it for you by default. • Secure the secret signing key used for creating and verifying the signature • Do not put any sensitive data in a JWT • Use asymmetric encryption (RSA / ECDSA)

23. Refresh token • Access tokens carry the necessary information to

    access a resource directly (short-lived) • Refresh tokens carry the information necessary to get a new access token (long-lived) • Refresh tokens improve security and allow for reduced latency

24. Links • https://jwt.io • https://github.com/jpadilla/pyjwt • https://github.com/GetBlimp/django-rest- framework-jwt • https://github.com/jpadilla/django-jwt-auth

    • https://github.com/mattupstate/flask-jwt

25. Questions? [email protected]