1. I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)

3. I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)

4. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
ABOUT ME
▸ Passionate about tech
▸ Technical Evangelist at Auth0,
Author at Udemy, Egghead
@joel__lord

9. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

10. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

11. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

12. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

13. INTRODUCING OAUTH!

14. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

15. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

16. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

17. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

18. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

19. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS

20. BUT WHY ?

21. DELEGATION!

22. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page

23. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page

24. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page

25. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database

26. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database
👍

27. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database
▸ It creates a session and sends back
a cookie identifier
👍

28. "

29. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application

30. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled

31. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled
▸ Sharing credentials to connect to a
third party API

32. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled
▸ Sharing credentials to connect to a
third party API
▸ Users have a gazillions accounts
already, which leads to password
reuse and lower conversion rates

34. OAUTH GRANTS
I DON’T CARE ABOUT SECURITY (AND
NEITHER SHOULD YOU)

35. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

36. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

37. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

38. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
👍

39. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
👍

40. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

41. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

42. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

43. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

44. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

45. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
⛔

46. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

47. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE

48. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

49. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

50. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

51. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

52. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
👍

53. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

54. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

55. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT

56. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
👍

57. TOKENS 101
I DON’T CARE ABOUT SECURITY (AND
NEITHER SHOULD YOU)

58. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Access Tokens
▸ Gives you access to a
resource
▸ Controls access to your API
▸ Short Lived
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked

59. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked

60. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked

61. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ WS Federated
▸ SAML
▸ Custom stuff
▸ …

62. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ WS Federated
▸ SAML
▸ Custom stuff
▸ JWT

63. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg

64. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header
▸ Payload
▸ Signature
eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg

65. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg

66. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9

67. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header atob(‘eyJhbGciOiJIUzI1NiIsI
nR5cCI6IkpXVCJ9’);

68. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header {
"alg": "HS256",
"typ": "JWT"
}

69. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg

70. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload eyJzdWIiOiIxMjM0NTY3OD
kwIiwibmFtZSI6IkpvZWwgT
G9yZCIsImFkbWluIjp0cnVlL
CJzY29wZSI6InBvc3RzOnJl
YWQgcG9zdHM6d3JpdGUi
fQ

71. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload atob(‘eyJzdWIiOiIxMjM0NT
Y3ODkwIiwibmFtZSI6IkpvZ
WwgTG9yZCIsImFkbWluIjp
0cnVlLCJzY29wZSI6InBvc3R
zOnJlYWQgcG9zdHM6d3J
pdGUifQ’);

72. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload {
"sub": "1234567890",
"name": "Joel Lord",
"admin": true,
"scope": "posts:read
posts:write"
}

73. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Signature XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg

74. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Signature hmacsha256(
`${header}.${payload}`,
SECRET_KEY
);

75. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
Image: https://jwt.io

76. CODE TIME!

77. Auth Server API
from flask import Flask, jsonify
import os
from api_auth_header import AuthError, requires_auth
from flask_cors import CORS
from randopeep import clickbait
app = Flask(__name__)
CORS(app)
@app.errorhandler(AuthError)
def handle_auth_error(ex):
response = jsonify(ex.error)
response.status_code = ex.status_code
return response
@app.route("/headline")
def headline():
return clickbait.headline()
@app.route("/protected/headline")
@requires_auth
def protected_headline():
return clickbait.headline("Joel Lord")
if __name__ == '__main__':
port = int(os.environ.get('PORT', 8888))
print("Auth server started on port %d " % port)
app.run(host='0.0.0.0', port=port, debug=True)
import os
from flask import Flask, request, abort, redirect
from jose import jwt
app = Flask(__name__)
users = [{"id": 1, "username": "joellord", "password": "joellord"}]
@app.route("/login", methods=["GET"])
def login_form():
print("Serve form")
callback_url = request.args.get("callback")
return "<form method='post'>...</form>"
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] ==
username and user["password"] == password), False)
if (user == False):
abort(401)
print(user)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm='HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)
if __name__ == '__main__':
port = int(os.environ.get('PORT', 8080))
print("Auth server started on port %d " % port)
app.run(host='0.0.0.0', port=port, debug=True)
●

78. @joel__lord
#PyConSK
Auth Server
import os
from flask import Flask, request, abort, redirect
from jose import jwt
app = Flask(__name__)
// ...

79. @joel__lord
#PyConSK
Auth Server
import os
from flask import Flask, request, abort, redirect
from jose import jwt
app = Flask(__name__)
// ...

80. @joel__lord
#PyConSK
Auth Server
import os
from flask import Flask, request, abort, redirect
from jose import jwt
app = Flask(__name__)
// ...

81. @joel__lord
#PyConSK
Auth Server
import os
from flask import Flask, request, abort, redirect
from jose import jwt
app = Flask(__name__)
// ...

82. @joel__lord
#PyConSK
Auth Server
# imports ...
users = [
{
"id": 1,
"username": "joellord",
"password": "joellord"
},
{
"id": 2,
"username": "guest",
"password": "guest"
}
]

83. @joel__lord
#PyConSK
Auth Server
# imports ...
users = [...]
@app.route("/login", methods=["GET"])
def login_form():
# login form
@app.route("/login", methods=["POST"])
def process_login():
# handle request

84. @joel__lord
#PyConSK
Auth Server
# imports ...
users = [...]
@app.route("/login", methods=["GET"])
def login_form():
# login form
@app.route("/login", methods=["POST"])
def process_login():
# handle request

85. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["GET"])
def login_form():
print("Serve form")
callback_url = request.args.get("callback")
return "<form method='post'><input type=hidden
name=callback value='" + callback_url + "'><input
type=text name=username /><input type=text
name=password /><input type=submit></form>"

86. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["GET"])
def login_form():
print("Serve form")
callback_url = request.args.get("callback")
return "<form method='post'><input type=hidden
name=callback value='" + callback_url + "'><input
type=text name=username /><input type=text
name=password /><input type=submit></form>"

87. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

88. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

89. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

90. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

91. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

92. @joel__lord
#PyConSK
Auth Server
@app.route("/login", methods=["POST"])
def process_login():
username = request.form.get("username")
password = request.form.get("password")
callback = request.form.get("callback")
if (username is "" or password is ""):
abort(400)
user = next((user for user in users if user["username"] == username
and user["password"] == password), False)
if (user == False):
abort(401)
token = jwt.encode({
"sub": str(user["id"]),
"username": user["username"],
"scope": "dostuff",
"aud": "my-random-clickbait-api",
"iss": "my-small-auth-server"
}, "my-super-secret-key", algorithm=‘HS256')
redirect_url = callback + "#access_token=" + token
return redirect(redirect_url, code=302)

93. @joel__lord
#PyConSK
Auth Server
# imports ...
users = [...]
@app.route("/login", methods=["GET"])
# ...
@app.route("/login", methods=["POST"])
# ...
if __name__ == '__main__':
port = int(os.environ.get('PORT', 8080))
print("Auth server started on port %d " % port)
app.run(host='0.0.0.0', port=port, debug=True)

94. @joel__lord
#PyConSK
API
from flask import Flask, jsonify
import os
from api_auth_header import AuthError, requires_auth
from flask_cors import CORS
from randopeep import clickbait
app = Flask(__name__)
CORS(app)

95. @joel__lord
#PyConSK
API
# imports
@app.route("/headline")
def headline():
return clickbait.headline()
@app.route("/protected/headline")
@requires_auth
def protected_headline():
return clickbait.headline("Joel Lord")

96. @joel__lord
#PyConSK
API
# imports
@app.route("/headline")
def headline():
return clickbait.headline()
@app.route("/protected/headline")
@requires_auth
def protected_headline():
return clickbait.headline("Joel Lord")

97. @joel__lord
#PyConSK
API
# imports
@app.route("/headline")
def headline():
return clickbait.headline()
@app.route("/protected/headline")
@requires_auth
def protected_headline():
return clickbait.headline("Joel Lord")

98. @joel__lord
#PyConSK
API
# imports …
@app.route("/headline")
def headline():
# …
@app.route("/protected/headline")
@requires_auth
def protected_headline():
# …
if __name__ == '__main__':
port = int(os.environ.get('PORT', 8888))
print("Auth server started on port %d " % port)
app.run(host='0.0.0.0', port=port, debug=True)

99. @joel__lord
#PyConSK
API (@requires_authfrom functools import wraps
from jose import jwt
from flask import _request_ctx_stack, request
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_token_auth_header():
# Get and validate the token...
return token
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
token = get_token_auth_header()
try:
payload = jwt.decode(token, "my-super-secret-key", algorithms="HS256")
except jwt.ExpiredSignatureError:
raise AuthError({"code": "token_expired", "description": "Token is expired"}, 401)
# Also check claims and headers
_request_ctx_stack.top.current_user = payload
return f(*args, **kwargs)
return decorated

100. @joel__lord
#PyConSK
API (@requires_authfrom functools import wraps
from jose import jwt
from flask import _request_ctx_stack, request
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_token_auth_header():
# Get and validate the token...
return token
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
token = get_token_auth_header()
try:
payload = jwt.decode(token, "my-super-secret-key", algorithms="HS256")
except jwt.ExpiredSignatureError:
raise AuthError({"code": "token_expired", "description": "Token is expired"}, 401)
# Also check claims and headers
_request_ctx_stack.top.current_user = payload
return f(*args, **kwargs)
return decorated

101. @joel__lord
#PyConSK
API (@requires_authfrom functools import wraps
from jose import jwt
from flask import _request_ctx_stack, request
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_token_auth_header():
# Get and validate the token...
return token
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
token = get_token_auth_header()
try:
payload = jwt.decode(token, "my-super-secret-key", algorithms="HS256")
except jwt.ExpiredSignatureError:
raise AuthError({"code": "token_expired", "description": "Token is expired"}, 401)
# Also check claims and headers
_request_ctx_stack.top.current_user = payload
return f(*args, **kwargs)
return decorated

102. @joel__lord
#PyConSK
API (@requires_authfrom functools import wraps
from jose import jwt
from flask import _request_ctx_stack, request
class AuthError(Exception):
def __init__(self, error, status_code):
self.error = error
self.status_code = status_code
def get_token_auth_header():
# Get and validate the token...
return token
def requires_auth(f):
@wraps(f)
def decorated(*args, **kwargs):
token = get_token_auth_header()
try:
payload = jwt.decode(token, "my-super-secret-key", algorithms="HS256")
except jwt.ExpiredSignatureError:
raise AuthError({"code": "token_expired", "description": "Token is expired"}, 401)
# Also check claims and headers
_request_ctx_stack.top.current_user = payload
return f(*args, **kwargs)
return decorated

104. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
DEAR DEMO GODS, PLEASE LET THIS WORK
▸ https://github.com/joellord/
secure-spa-auth0

105. DELEGATION!

113. INTRODUCING OPEN ID CONNECT!

114. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
▸ Built on top of OAuth 2.0
▸ OpenID Connect is to OpenId what JavaScript is to Java
▸ Provides Identity Tokens in JWT format
▸ Uses a /userinfo endpoint to provide this info

115. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
▸ Uses the “scope” to fetch info
▸ openid
▸ Profile
▸ email
▸ address
▸ phone

116. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
Image: https://openidconnect.net

117. DELEGATION!

118. @joel__lord
#PyConSK
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
RESOURCES
▸ General JWT resource
▸ https://jwt.io/
▸ Learn how OIDC works
▸ https://openidconnect.net/
▸ Code samples
▸ http://bit.ly/idontcareaboutsecurity

119. @joel__lord
joellord
I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)
PyCon SK
March 23rd, 2019
THANK YOU !

120. TEXT

121. TEXT