Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

of

I Don't Care About Security (And Neither Should You) Slide 1 I Don't Care About Security (And Neither Should You) Slide 2 I Don't Care About Security (And Neither Should You) Slide 3 I Don't Care About Security (And Neither Should You) Slide 4 I Don't Care About Security (And Neither Should You) Slide 5 I Don't Care About Security (And Neither Should You) Slide 6 I Don't Care About Security (And Neither Should You) Slide 7 I Don't Care About Security (And Neither Should You) Slide 8 I Don't Care About Security (And Neither Should You) Slide 9 I Don't Care About Security (And Neither Should You) Slide 10 I Don't Care About Security (And Neither Should You) Slide 11 I Don't Care About Security (And Neither Should You) Slide 12 I Don't Care About Security (And Neither Should You) Slide 13 I Don't Care About Security (And Neither Should You) Slide 14 I Don't Care About Security (And Neither Should You) Slide 15 I Don't Care About Security (And Neither Should You) Slide 16 I Don't Care About Security (And Neither Should You) Slide 17 I Don't Care About Security (And Neither Should You) Slide 18 I Don't Care About Security (And Neither Should You) Slide 19 I Don't Care About Security (And Neither Should You) Slide 20 I Don't Care About Security (And Neither Should You) Slide 21 I Don't Care About Security (And Neither Should You) Slide 22 I Don't Care About Security (And Neither Should You) Slide 23 I Don't Care About Security (And Neither Should You) Slide 24 I Don't Care About Security (And Neither Should You) Slide 25 I Don't Care About Security (And Neither Should You) Slide 26 I Don't Care About Security (And Neither Should You) Slide 27 I Don't Care About Security (And Neither Should You) Slide 28 I Don't Care About Security (And Neither Should You) Slide 29 I Don't Care About Security (And Neither Should You) Slide 30 I Don't Care About Security (And Neither Should You) Slide 31 I Don't Care About Security (And Neither Should You) Slide 32 I Don't Care About Security (And Neither Should You) Slide 33 I Don't Care About Security (And Neither Should You) Slide 34 I Don't Care About Security (And Neither Should You) Slide 35 I Don't Care About Security (And Neither Should You) Slide 36 I Don't Care About Security (And Neither Should You) Slide 37 I Don't Care About Security (And Neither Should You) Slide 38 I Don't Care About Security (And Neither Should You) Slide 39 I Don't Care About Security (And Neither Should You) Slide 40 I Don't Care About Security (And Neither Should You) Slide 41 I Don't Care About Security (And Neither Should You) Slide 42 I Don't Care About Security (And Neither Should You) Slide 43 I Don't Care About Security (And Neither Should You) Slide 44 I Don't Care About Security (And Neither Should You) Slide 45 I Don't Care About Security (And Neither Should You) Slide 46 I Don't Care About Security (And Neither Should You) Slide 47 I Don't Care About Security (And Neither Should You) Slide 48 I Don't Care About Security (And Neither Should You) Slide 49 I Don't Care About Security (And Neither Should You) Slide 50 I Don't Care About Security (And Neither Should You) Slide 51 I Don't Care About Security (And Neither Should You) Slide 52 I Don't Care About Security (And Neither Should You) Slide 53 I Don't Care About Security (And Neither Should You) Slide 54 I Don't Care About Security (And Neither Should You) Slide 55 I Don't Care About Security (And Neither Should You) Slide 56 I Don't Care About Security (And Neither Should You) Slide 57 I Don't Care About Security (And Neither Should You) Slide 58 I Don't Care About Security (And Neither Should You) Slide 59 I Don't Care About Security (And Neither Should You) Slide 60 I Don't Care About Security (And Neither Should You) Slide 61 I Don't Care About Security (And Neither Should You) Slide 62 I Don't Care About Security (And Neither Should You) Slide 63 I Don't Care About Security (And Neither Should You) Slide 64 I Don't Care About Security (And Neither Should You) Slide 65 I Don't Care About Security (And Neither Should You) Slide 66 I Don't Care About Security (And Neither Should You) Slide 67 I Don't Care About Security (And Neither Should You) Slide 68 I Don't Care About Security (And Neither Should You) Slide 69 I Don't Care About Security (And Neither Should You) Slide 70 I Don't Care About Security (And Neither Should You) Slide 71 I Don't Care About Security (And Neither Should You) Slide 72 I Don't Care About Security (And Neither Should You) Slide 73 I Don't Care About Security (And Neither Should You) Slide 74 I Don't Care About Security (And Neither Should You) Slide 75 I Don't Care About Security (And Neither Should You) Slide 76 I Don't Care About Security (And Neither Should You) Slide 77 I Don't Care About Security (And Neither Should You) Slide 78 I Don't Care About Security (And Neither Should You) Slide 79 I Don't Care About Security (And Neither Should You) Slide 80 I Don't Care About Security (And Neither Should You) Slide 81 I Don't Care About Security (And Neither Should You) Slide 82 I Don't Care About Security (And Neither Should You) Slide 83 I Don't Care About Security (And Neither Should You) Slide 84 I Don't Care About Security (And Neither Should You) Slide 85 I Don't Care About Security (And Neither Should You) Slide 86 I Don't Care About Security (And Neither Should You) Slide 87 I Don't Care About Security (And Neither Should You) Slide 88 I Don't Care About Security (And Neither Should You) Slide 89 I Don't Care About Security (And Neither Should You) Slide 90 I Don't Care About Security (And Neither Should You) Slide 91 I Don't Care About Security (And Neither Should You) Slide 92 I Don't Care About Security (And Neither Should You) Slide 93 I Don't Care About Security (And Neither Should You) Slide 94 I Don't Care About Security (And Neither Should You) Slide 95 I Don't Care About Security (And Neither Should You) Slide 96 I Don't Care About Security (And Neither Should You) Slide 97 I Don't Care About Security (And Neither Should You) Slide 98 I Don't Care About Security (And Neither Should You) Slide 99 I Don't Care About Security (And Neither Should You) Slide 100 I Don't Care About Security (And Neither Should You) Slide 101 I Don't Care About Security (And Neither Should You) Slide 102 I Don't Care About Security (And Neither Should You) Slide 103 I Don't Care About Security (And Neither Should You) Slide 104 I Don't Care About Security (And Neither Should You) Slide 105 I Don't Care About Security (And Neither Should You) Slide 106 I Don't Care About Security (And Neither Should You) Slide 107 I Don't Care About Security (And Neither Should You) Slide 108 I Don't Care About Security (And Neither Should You) Slide 109 I Don't Care About Security (And Neither Should You) Slide 110 I Don't Care About Security (And Neither Should You) Slide 111 I Don't Care About Security (And Neither Should You) Slide 112 I Don't Care About Security (And Neither Should You) Slide 113 I Don't Care About Security (And Neither Should You) Slide 114 I Don't Care About Security (And Neither Should You) Slide 115 I Don't Care About Security (And Neither Should You) Slide 116 I Don't Care About Security (And Neither Should You) Slide 117 I Don't Care About Security (And Neither Should You) Slide 118 I Don't Care About Security (And Neither Should You) Slide 119 I Don't Care About Security (And Neither Should You) Slide 120 I Don't Care About Security (And Neither Should You) Slide 121 I Don't Care About Security (And Neither Should You) Slide 122 I Don't Care About Security (And Neither Should You) Slide 123 I Don't Care About Security (And Neither Should You) Slide 124 I Don't Care About Security (And Neither Should You) Slide 125 I Don't Care About Security (And Neither Should You) Slide 126
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

I Don't Care About Security (And Neither Should You)

Download to read offline

Remember when setting up a login page was easy? It seems like nowadays it can take weeks to start a project--creating a signup form, a login form, a password recovery screen, and all the validation in between. And you haven’t even started on security considerations yet. During this presentation, the attendees will be introduced to OpenID Connect and OAuth. They will also learn how to leverage these technologies to create more secure applications. Most importantly, they will learn how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.

Presented at South Florida Code Camp '19

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

I Don't Care About Security (And Neither Should You)

  1. 1. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  2. 2. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) ABOUT ME @joel__lord joellord
  3. 3. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  4. 4. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  5. 5. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  6. 6. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  7. 7. INTRODUCING OAUTH!
  8. 8. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  9. 9. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  10. 10. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  11. 11. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  12. 12. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  13. 13. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  14. 14. BUT WHY ?
  15. 15. DELEGATION!
  16. 16. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  17. 17. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  18. 18. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  19. 19. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database
  20. 20. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database 👍
  21. 21. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database ▸ It creates a session and sends back a cookie identifier 👍
  22. 22. "
  23. 23. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application
  24. 24. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled
  25. 25. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API
  26. 26. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API ▸ Users have a gazillions accounts already, which leads to password reuse and lower conversion rates
  27. 27. OAUTH GRANTS I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  28. 28. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  29. 29. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  30. 30. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  31. 31. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  32. 32. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  33. 33. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  34. 34. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  35. 35. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  36. 36. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  37. 37. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  38. 38. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE ⛔
  39. 39. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  40. 40. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  41. 41. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  42. 42. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  43. 43. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  44. 44. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  45. 45. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  46. 46. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  47. 47. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  48. 48. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  49. 49. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  50. 50. TOKENS 101 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  51. 51. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Access Tokens ▸ Gives you access to a resource ▸ Controls access to your API ▸ Short Lived ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  52. 52. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  53. 53. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  54. 54. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ …
  55. 55. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ JWT
  56. 56. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  57. 57. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header ▸ Payload ▸ Signature eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  58. 58. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  59. 59. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9
  60. 60. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header atob(‘eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9’);
  61. 61. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header { "alg": "HS256", "typ": "JWT" }
  62. 62. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  63. 63. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJzdWIiOiIxMjM0NTY3OD kwIiwibmFtZSI6IkpvZWwgT G9yZCIsImFkbWluIjp0cnVlL CJzY29wZSI6InBvc3RzOnJl YWQgcG9zdHM6d3JpdGUi fQ
  64. 64. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload atob(‘eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvZ WwgTG9yZCIsImFkbWluIjp 0cnVlLCJzY29wZSI6InBvc3R zOnJlYWQgcG9zdHM6d3J pdGUifQ’);
  65. 65. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true, "scope": "posts:read posts:write" }
  66. 66. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  67. 67. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature hmacsha256( `${header}.${payload}`, SECRET_KEY );
  68. 68. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) Image: https://jwt.io
  69. 69. CODE TIME!
  70. 70. Auth Server API var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.json()); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.urlencoded()); app.get("/login", function(req, res) { var loginForm = "<form method='post'><input type=hidden name=callback value='" + req.query.callback + "'><input type=text name=username /><input type=text name=password /><input type=submit></form>"; res.status(200).send(loginForm); }); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found");
  71. 71. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  72. 72. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  73. 73. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  74. 74. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  75. 75. @joel__lord #sflcc Auth Server // Requires ... var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ];
  76. 76. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  77. 77. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  78. 78. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  79. 79. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  80. 80. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  81. 81. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  82. 82. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8080, () => console.log("Auth server running on 8080"));}
  83. 83. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  84. 84. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  85. 85. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  86. 86. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  87. 87. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  88. 88. @joel__lord #sflcc API // Requires ... var jwtCheck = expressjwt({ secret: "mysupersecret" });
  89. 89. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  90. 90. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  91. 91. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  92. 92. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  93. 93. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8888, () => console.log("API listening on 8888"));
  94. 94. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  95. 95. DELEGATION!
  96. 96. INTRODUCING OPEN ID CONNECT!
  97. 97. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Built on top of OAuth 2.0 ▸ OpenID Connect is to OpenId what JavaScript is to Java ▸ Provides Identity Tokens in JWT format ▸ Uses a /userinfo endpoint to provide this info
  98. 98. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Uses the “scope” to fetch info ▸ openid ▸ Profile ▸ email ▸ address ▸ phone
  99. 99. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT scope=openid%20profile
  100. 100. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  101. 101. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  102. 102. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  103. 103. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  104. 104. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  105. 105. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT /userinfo
  106. 106. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  107. 107. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT Image: https://openidconnect.net
  108. 108. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  109. 109. DELEGATION!
  110. 110. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) RESOURCES ▸ General JWT resource ▸ https://jwt.io/ ▸ Learn how OIDC works ▸ https://openidconnect.net/ ▸ Code samples ▸ http://bit.ly/idontcareaboutsecurity
  111. 111. @joel__lord joellord I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) South Florida Code Camp March 2nd, 2019 THANK YOU !
  112. 112. TEXT
  113. 113. TEXT

Remember when setting up a login page was easy? It seems like nowadays it can take weeks to start a project--creating a signup form, a login form, a password recovery screen, and all the validation in between. And you haven’t even started on security considerations yet. During this presentation, the attendees will be introduced to OpenID Connect and OAuth. They will also learn how to leverage these technologies to create more secure applications. Most importantly, they will learn how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff. Presented at South Florida Code Camp '19

Views

Total views

138

On Slideshare

0

From embeds

0

Number of embeds

0

Actions

Downloads

0

Shares

0

Comments

0

Likes

0

×