jsconf.uy - Death to Cookies Long Live Tokens

Transcript

1. Death to Cookies Long Live Tokens @woloski @jfroma

2. None
3. None

4. Client Database auth persistent connection 1990’s Client Server Life was

   easy

5. Workstation Browser Database auth 2000’s Intranet Web Server Active Directory

   kerberos token Life inside corp

6. Workstation Browser Database Internet Web Server auth C C E-commerce

7. Browser Database Today’s applications Web Server (Scala) API (Ruby) API

   (Node) Phones Tablets Realtime (Sockets) API (Facebook) C M A A A AT

8. +80K Views

9. None

10. Cookie-based auth is a sub- optimal solution for today’s systems

11. Set-Cookie + CORS = doesn’t play well 1

12. Cookies are coupled to the web framework ! If you

    try to reuse a cookie issued by Java in Node, not easy 2

13. APIs don’t use cookies, native apps either 3

14. Cookies lead to CSRF attacks <iframe  style="display:none"  name="hidden"></iframe>   <form

     name="csrf"                action="http://example.org/account/edit"                method="post"                target="hidden">   <input  type="hidden"  name="email"  value="[email protected]"  />   <script>document.csrf.submit();</script> 4

15. http://tools.ietf.org/html/draft-ietf-oauth-json-web-token

16. How it works?

17. Not everything is pink color

18. art: http://abeon-hosting.com/security-blog/xss-attack-in-action-cookie-stealer/ Tokens XSS

19. Sanitize and encode everything ! Google Caja https://developers.google.com/caja/

20. Try token-based authentication in your next project

21. TOOOOOOOOKEEEENS

22. Thanks! @woloski @jfroma blog.auth0.com jwt.io

23. Appendix

24. None
25. None

26. JWT JSON Web Tokens eyJ0eXAiOiJKV1QiLC JhbGciOiJIUzI1NiJ9   .eyJ1c2VyX2lkIjoiM TIzNDUiLCJlbWFpbCI 6ImZvb0BiYXIuY29tI

    iwiZXhwIjoxMzkyMzI zMzQwLCJpYXQiOjEzO TIzMTYxNDB9   .KQma3tquGF_zKbLdX HV4zNJAupdHJdIk6L2 g6R8kcAY   ! ! {        "typ":"JWT",      "alg":"HS256"   } {        "user_id":  "12345",      "email"  :  "[email protected]",      "exp":  1392323340,      "iat":  1392316140   } HMACSHA256(            base64UrlEncode(header)        +  "."  +      base64UrlEncode(payload),        "secret")   ! header payload signature encoded decoded

27. Token expires, deal with refresh

28. Confidential info, encrypt it

29. Social auth

30. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

31. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)