Successfully reported this slideshow.
Your SlideShare is downloading. ×

I Don't Care About Security

Apr. 06, 2018
0 likes 247 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Loading in …3
×

Check these out next

Dr.Repi
Driton Haliti
Index chrome
Heverton Peres
Google
soon
Havij dork
iyusrusnadi
Authentication
soon
Summit2014 topic 0066 - 10 enhancements that require 10 lines of code
Angel Borroy López
Poisoning Google images
lukash4
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
Brecht Ryckaert
1 of 96 Ad

I Don't Care About Security

Apr. 06, 2018
0 likes 247 views

Download to read offline

Internet

Remember that time where setting up a login page was easy? It seems like nowadays, it take many weeks to start a project just to create a signup form, a login form and a forget password screen. And that is if you don’t need 2 factor authentication or passwordless authentication. In a world of security breaches and privacy violations, it is important for developers to understand how modern identity work.

This talk will be in two parts.

For starters, the attendees will be introduced to modern security protocols like OpenID Connect and OAuth. The basics of token authentication will be explained using simple examples that are easy to understand. The concept of tokens will also be explained, more specifically how JWTs work.

In the second part of this presentation, the attendees will learn how to implement their own authentication server, how to secure their APIs and how to protect their Single Page Applications by making use of the protocols described in the first part.

Finally, the presenter will show the participants how to add Auth0 as an authentication server with minimal code changes and will demonstrate the simplicity of using a third party to handle login, signups, lost password as well as 2 factor authentication or passwordless logins.

Remember that time where setting up a login page was easy? It seems like nowadays, it take many weeks to start a project just to create a signup form, a login form and a forget password screen. And that is if you don’t need 2 factor authentication or passwordless authentication. In a world of security breaches and privacy violations, it is important for developers to understand how modern identity work.

This talk will be in two parts.

For starters, the attendees will be introduced to modern security protocols like OpenID Connect and OAuth. The basics of token authentication will be explained using simple examples that are easy to understand. The concept of tokens will also be explained, more specifically how JWTs work.

In the second part of this presentation, the attendees will learn how to implement their own authentication server, how to secure their APIs and how to protect their Single Page Applications by making use of the protocols described in the first part.

Finally, the presenter will show the participants how to add Auth0 as an authentication server with minimal code changes and will demonstrate the simplicity of using a third party to handle login, signups, lost password as well as 2 factor authentication or passwordless logins.

Internet
Advertisement

Recommended

I Don't Care About Security (And Neither Should You)
Joel Lord
123 views
99 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
193 views
98 slides
Ruby Robots
Daniel Cukier
2k views
47 slides
Error found
sikushina
644 views
10 slides
Effectively Testing Services on Rails - Railsconf 2014
neal_kemp
1.2k views
76 slides
How to actually use promises - Jakob Mattsson, FishBrain
Codemotion Tel Aviv
1k views
66 slides
Dilon ki Islaah
Fahad Javed
938 views
75 slides
Accessible JavaScript applications
Stefan Feješ
205 views
72 slides
Advertisement

More Related Content

Slideshows for you (11)

Dr.Repi
Driton Haliti
216.8k views
Index chrome
Heverton Peres
158.9k views
Google
soon
977 views
Havij dork
iyusrusnadi
80.8k views
Authentication
soon
872 views
Summit2014 topic 0066 - 10 enhancements that require 10 lines of code
Angel Borroy López
741 views
Poisoning Google images
lukash4
4.7k views
WordCamp Antwerp - 3/3/2018 - Debugging WordPress by Brecht Ryckaert
Brecht Ryckaert
618 views
Clearance: Simple, complete Ruby web app authentication.
Jason Morrison
2k views
Deploying
soon
1.1k views
J Query - Your First Steps
Bronson Quick
988 views
Dr.Repi
Driton Haliti
216.8k views
30 slides
Index chrome
Heverton Peres
158.9k views
17 slides
Google
soon
977 views
41 slides
Havij dork
iyusrusnadi
80.8k views
5 slides
Authentication
soon
872 views
45 slides
Summit2014 topic 0066 - 10 enhancements that require 10 lines of code
Angel Borroy López
741 views
64 slides

Similar to I Don't Care About Security (20)

I Don't Care About Security (And Neither Should You)
Joel Lord
208 views
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
3.5k views
I Don't Care About Security (And Neither Should You)
Joel Lord
232 views
Roll Your Own API Management Platform with nginx and Lua
Jon Moore
47.4k views
JavaScript Promise
Joseph Chiang
4.3k views
Going realtime with Socket.IO
Christian Joudrey
7.5k views
Quick run in with Swagger
Mesh Korea
3.9k views
Advanced CSRF and Stateless Anti-CSRF
johnwilander
7.6k views
Node.js Authentication and Data Security
Jonathan LeBlanc
2.9k views
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
368 views
How to test complex SaaS applications - The family july 2014
Guillaume POTIER
669 views
An Introduction to OAuth2
Aaron Parecki
14.5k views
Mashing up JavaScript
Bastian Hofmann
1.1k views
Do you want a SDK with that API? (Nordic APIS April 2014)
Nordic APIs
2.1k views
The Current State of OAuth 2
Aaron Parecki
6k views
Angular js security
Jose Manuel Ortega Candel
485 views
Mashing up JavaScript – Advanced Techniques for modern Web Apps
Bastian Hofmann
4.7k views
What the Heck is OAuth and OpenID Connect - RWX 2017
Matt Raible
706 views
OAuth 2 at Webvisions
Aaron Parecki
4.2k views
External Data Access with jQuery
Doncho Minkov
18.1k views
I Don't Care About Security (And Neither Should You)
Joel Lord
208 views
99 slides
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
3.5k views
41 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
232 views
83 slides
Roll Your Own API Management Platform with nginx and Lua
Jon Moore
47.4k views
67 slides
JavaScript Promise
Joseph Chiang
4.3k views
28 slides
Going realtime with Socket.IO
Christian Joudrey
7.5k views
22 slides
Advertisement

More from Joel Lord (20)

From Ceasar Cipher To Quantum Cryptography
Joel Lord
403 views
I Don't Care About Security (And Neither Should You)
Joel Lord
669 views
I Don't Care About Security (And Neither Should You)
Joel Lord
154 views
I Don't Care About Security (And Neither Should You)
Joel Lord
321 views
Forgot Password? Yes I Did!
Joel Lord
430 views
I Don't Care About Security (And Neither Should You)
Joel Lord
153 views
Mot de passe oublié? Absolument!
Joel Lord
192 views
Asynchronicity: concurrency. A tale of
Joel Lord
283 views
Learning Machine Learning
Joel Lord
449 views
Forgot Password? Yes I Did!
Joel Lord
295 views
WTH is a JWT
Joel Lord
909 views
Forgot Password? Yes I Did!
Joel Lord
111 views
WTH is a JWT
Joel Lord
310 views
Asynchonicity: concurrency. A tale of
Joel Lord
358 views
Secure your SPA with Auth0
Joel Lord
328 views
Learning Machine Learning
Joel Lord
340 views
Learning Machine Learning
Joel Lord
241 views
Rise of the Nodebots
Joel Lord
259 views
Let's Get Physical
Joel Lord
279 views
Learning About Machine Learning
Joel Lord
308 views
From Ceasar Cipher To Quantum Cryptography
Joel Lord
403 views
185 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
669 views
131 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
154 views
128 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
321 views
121 slides
Forgot Password? Yes I Did!
Joel Lord
430 views
61 slides
I Don't Care About Security (And Neither Should You)
Joel Lord
153 views
126 slides

Recently uploaded (20)

Understanding Website Traffic.pptx
aaravinfotech2
4 views
Journey-Mapping-Cancer-interactive.pdf
KarlaBouzas
3 views
Presentation23.pdf
VitaPestmanMackintos
3 views
tes.pptx
shifa_776
2 views
16 Strategies for Growth
Tami Reiss
311 views
Presentation 1 31 23.pptx
VLocators.com
3 views
Networking, Relationship Building, and Community
Michelle Ames
5 views
business model and internet of things
LobnaQassem1
3 views
Single page web apps.pptx
nskumar7
4 views
SEMINAR.pptx
SanjeetaPratihari
3 views
rty sdf.ppt
Haritha265233
4 views
A NOVEL METHODOLOGY FOR TASK DISTRIBUTION IN HETEROGENEOUS RECONFIGURABLE COM...
ijesajournal
4 views
Alphabet Animals.pdf
BemnetDemissew
0 views
The Hookup Plan By Farrah Rochon-pdfread.net.pdf
FranciscaPQuezadaMrt
0 views
Validation of vulnerabilities.pdf
Eoin Keary
2 views
erp_presentation.ppt
MSITCSEDepartment
0 views
Best Clothing Store for Tweens
Port 213
4 views
Costume music video (1).pdf
VitaPestmanMackintos
0 views
Microsoft Azure and Security Certifications Transportation Map
Carlo Sacchi
6 views
Modify Modal Presentation for Session Logout due to Inactivity.pptx
nskumar7
2 views
Understanding Website Traffic.pptx
aaravinfotech2
4 views
8 slides
Journey-Mapping-Cancer-interactive.pdf
KarlaBouzas
3 views
44 slides
Presentation23.pdf
VitaPestmanMackintos
3 views
4 slides
tes.pptx
shifa_776
2 views
7 slides
16 Strategies for Growth
Tami Reiss
311 views
38 slides
Presentation 1 31 23.pptx
VLocators.com
3 views
15 slides
Advertisement

I Don't Care About Security

  1. 1. I Don’t Care About Security And Neither Should You
  2. 2. @joel__lord #confoo About Me @joel__lord joellord
  3. 3. @joel__lord #CPL18 OAuth - Flows Authorization Code
  4. 4. @joel__lord #CPL18 OAuth - Flows Authorization Code
  5. 5. @joel__lord #CPL18 OAuth - Flows Authorization Code
  6. 6. That reminds me of OAuth!
  7. 7. @joel__lord #CPL18 OAuth - Flows Authorization Code
  8. 8. @joel__lord #CPL18 OAuth - Flows Authorization Code
  9. 9. @joel__lord #CPL18 OAuth - Flows Authorization Code
  10. 10. @joel__lord #CPL18 OAuth - Flows Authorization Code
  11. 11. @joel__lord #CPL18 OAuth - Flows Authorization Code
  12. 12. @joel__lord #CPL18 OAuth - Flows Authorization Code
  13. 13. But Why?
  14. 14. Delegation!
  15. 15. Traditional Applications ! Browser requests a login page
  16. 16. Traditional Applications ! Browser requests a login page
  17. 17. Traditional Applications ! Browser requests a login page
  18. 18. Traditional Applications ! Browser requests a login page ! The server validates on its database
  19. 19. Traditional Applications ! Browser requests a login page ! The server validates on its database 👍
  20. 20. Traditional Applications ! Browser requests a login page ! The server validates on its database ! It creates a session and provides a cookie identifier
  21. 21. What’s wrong with traditional auth? ! Multiple platforms connecting to your application
  22. 22. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled
  23. 23. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API
  24. 24. What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
  25. 25. OAuth
  26. 26. OAuth - The Flows Authorization Code
  27. 27. @joel__lord #CPL18 Authentication Flows Authorization Code
  28. 28. @joel__lord #CPL18 Authentication Flows Authorization Code
  29. 29. @joel__lord #CPL18 Authentication Flows Authorization Code
  30. 30. @joel__lord #CPL18 Authentication Flows Authorization Code
  31. 31. @joel__lord #CPL18 Authentication Flows Authorization Code
  32. 32. @joel__lord #CPL18 Authentication Flows Authorization Code
  33. 33. OAuth - The Flows Implicit Flow
  34. 34. @joel__lord #CPL18 Authentication Flows Implicit Flow
  35. 35. @joel__lord #CPL18 Authentication Flows Implicit Flow
  36. 36. @joel__lord #CPL18 Authentication Flows Implicit Flow
  37. 37. @joel__lord #CPL18 Authentication Flows Implicit Flow
  38. 38. @joel__lord #CPL18 Authentication Flows Implicit Flow
  39. 39. @joel__lord #CPL18 Authentication Flows Implicit Flow
  40. 40. Tokens 101
  41. 41. @joel__lord #CPL18 OAuth Tokens Access Token Refresh Token ! Give you access to a resource ! Controls access to your API ! Short lived ! Enables you to get a new token ! Longed lived ! Can be revoked
  42. 42. @joel__lord #CPL18 OAuth Tokens Refresh Token ! Enables you to get a new token ! Longed lived ! Can be revoked
  43. 43. @joel__lord #CPL18 OAuth Tokens Refresh Token ! Enables you to get a new token ! Longed lived ! Can be revoked
  44. 44. @joel__lord #CPL18 OAuth Tokens ! WS-Federated ! SAML ! JWT ! Custom stuff ! More…
  45. 45. JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "scope": "posts:read posts:write" } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  46. 46. JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  47. 47. JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
  48. 48. JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io
  49. 49. Codiiiing Time!
  50. 50. Auth Server API var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.json()); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.status(200).send({token: token}); }); app.get('*', function (req, res) { res.sendStatus(404); }); module.exports = Webtask.fromExpress(app); var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.urlencoded()); app.get("/login", function(req, res) { var loginForm = "<form method='post'><input type=hidden name=callback value='" + req.query.callback + "'><input type=text name=username /><input type=text name=password / ><input type=submit></form>"; res.status(200).send(loginForm); }); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); }); app.get('*', function (req, res) { res.sendStatus(404); });
  51. 51. Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  52. 52. Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  53. 53. Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  54. 54. Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  55. 55. Auth Server // Requires ... var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ];
  56. 56. Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  57. 57. Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  58. 58. Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  59. 59. Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  60. 60. Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  61. 61. Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  62. 62. Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8080, () => console.log("Auth server running on 8080"));}
  63. 63. API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  64. 64. API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  65. 65. API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  66. 66. API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  67. 67. API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  68. 68. API // Requires ... var jwtCheck = expressjwt({ secret: "mysupersecret" });
  69. 69. API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  70. 70. API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  71. 71. API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  72. 72. API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  73. 73. API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8888, () => console.log("API listening on 8888"));
  74. 74. @joel__lord #CPL18 Front-End Add the headers
  75. 75. Live Demo github.com/joellord/idontcare
  76. 76. Delegation!
  77. 77. Introducing OpenID Connect
  78. 78. @joel__lord #CPL18 OpenID Connect ! Built on top of OAuth 2.0 ! OpenID Connect (OIDC) is to OpenID what Javascript is to Java ! Provides Identity Tokens in JWT format ! Uses a /userinfo endpoint to provide the info
  79. 79. @joel__lord #CPL18 OpenID Connect Scopes ! openid ! profile ! email ! address ! phone
  80. 80. @joel__lord #CPL18 OpenID Connect Flows Authorization Code scope=openid%20profile
  81. 81. @joel__lord #CPL18 Authentication Flows Authorization Code
  82. 82. @joel__lord #CPL18 Authentication Flows Authorization Code
  83. 83. @joel__lord #CPL18 Authentication Flows Authorization Code /userinfo
  84. 84. @joel__lord #CPL18 OpenID Connect Full flow https://openidconnect.net
  85. 85. Delegation!
  86. 86. I Don’t Care About Security JS-Paris, April 6th 2018 @joel__lord joellord

×