Successfully reported this slideshow.
Your SlideShare is downloading. ×

Secure and practical authentication in API Platform

Sep. 13, 2021
1 like 584 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Apigility – Lightning Fast API Development - OSSCamp 2014
Apigility – Lightning Fast API Development - OSSCamp 2014
Loading in …3
×

Check these out next

Mvvm is like born fraction
Ken Haneda
Selenium training for beginners
TIB Academy
Ansible-izing vCenter with vSphere’s RESTful APIs!
Jonathan Frappier
Functional Programming in PHP
Aurimas Niekis
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
CakePHP 2.0 - PHP Matsuri 2011
Graham Weldon
ColdFusion 10
Raymond Camden
1 of 29 Ad

Secure and practical authentication in API Platform

Sep. 13, 2021
1 like 584 views

Download to read offline

Technology

The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.

Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.

In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.

The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.

Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.

In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.

Technology
Advertisement

Recommended

Apigility – Lightning Fast API Development - OSSCamp 2014
OSSCube
2.9k views
26 slides
SAPO Messenger Meets Web 2.0
Luis Troni
516 views
15 slides
mod_php vs FastCGI vs FPM vs CLI
Jacques Woodcock
23.2k views
62 slides
XDebug For php debugging
Omid Khosrojerdi
3.8k views
13 slides
React UI Development: Introduction to "UI Component as API"
Itaru Kitagawa
1.5k views
34 slides
Building Ajax apps with the Google Web Toolkit
vivek_prahlad
1k views
19 slides
Development workflow
Sigsiu.NET
755 views
92 slides
Demystifying Selenium framework
kunalgate125
356 views
34 slides
Advertisement

More Related Content

Slideshows for you (7)

Mvvm is like born fraction
Ken Haneda
1.5k views
Selenium training for beginners
TIB Academy
57 views
Ansible-izing vCenter with vSphere’s RESTful APIs!
Jonathan Frappier
2.2k views
Functional Programming in PHP
Aurimas Niekis
29 views
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
1.6k views
CakePHP 2.0 - PHP Matsuri 2011
Graham Weldon
2.8k views
ColdFusion 10
Raymond Camden
1.4k views
Mvvm is like born fraction
Ken Haneda
1.5k views
32 slides
Selenium training for beginners
TIB Academy
57 views
14 slides
Ansible-izing vCenter with vSphere’s RESTful APIs!
Jonathan Frappier
2.2k views
34 slides
Functional Programming in PHP
Aurimas Niekis
29 views
15 slides
PHP Frameworks, or how I learnt to stop worrying and love the code
Michal Juhas
1.6k views
63 slides
CakePHP 2.0 - PHP Matsuri 2011
Graham Weldon
2.8k views
84 slides

Similar to Secure and practical authentication in API Platform (20)

The use of Symfony2 @ Overblog
Xavier Hausherr
5k views
Crafting APIs
Tatiana Al-Chueyr
440 views
(phpconftw2012) PHP as a Middleware in Embedded Systems
sosorry
1.9k views
Building a fully API-based platform on top of cPanel
Dominic Lüchinger
987 views
Symfony: A Brief Introduction
Craig Willis
785 views
Deploying Plack Web Applications: OSCON 2011
Tatsuhiko Miyagawa
8.2k views
Building a Great Web API - Evan Cooke - QCON 2011
Twilio Inc
2.3k views
Behavior & Specification Driven Development in PHP - #OpenWest
Joshua Warren
1.4k views
ID304 - Lotus® Connections 3.0 TDI, SSO, and User Life Cycle Management: What...
Luis Benitez
8.1k views
Php through the eyes of a hoster: PHPNW10
Combell NV
1.1k views
Simplify your professional web development with symfony
Francois Zaninotto
2.7k views
Cloud Native Identity with SPIFFE
Prabath Siriwardena
2.6k views
Beware the potholes
Yan Cui
1.1k views
How Symfony Changed My Life
Matthias Noback
2.4k views
Flask With Server-Sent Event
Tencent
4.4k views
How Symfony changed my life (#SfPot, Paris, 19th November 2015)
Matthias Noback
2.2k views
apidays LIVE Jakarta - REST the events: REST APIs for Event-Driven Architectu...
apidays
161 views
TestWorks Conf Robot framework - the unsung hero of test automation - Michael...
Xebia Nederland BV
752 views
#Credits
Kamil Trávník
1.9k views
Sviluppo di architetture orientate ai servizi con EclipseSOA
Alberto Lagna
344 views
The use of Symfony2 @ Overblog
Xavier Hausherr
5k views
36 slides
Crafting APIs
Tatiana Al-Chueyr
440 views
59 slides
(phpconftw2012) PHP as a Middleware in Embedded Systems
sosorry
1.9k views
91 slides
Building a fully API-based platform on top of cPanel
Dominic Lüchinger
987 views
48 slides
Symfony: A Brief Introduction
Craig Willis
785 views
27 slides
Deploying Plack Web Applications: OSCON 2011
Tatsuhiko Miyagawa
8.2k views
143 slides
Advertisement

Recently uploaded (20)

ANS_Ch_06_Handouts.pdf
MeymunaMohammed1
1 view
CybersecurityHQ.io News Februrary 5th, 2023
CybersecurityHQ
0 views
Innovation project.pptx
ShikharTomar7
0 views
HUAWEI IdeaHub Configeration Guidance v1.0.pptx
helberth73
4 views
Level 50 - How can CSP partners build a business with Azure.pptx
ssusera5e1a91
0 views
Machine Learning with ML.NET
Hossein Zahed
6 views
Python Impressionador - Samara Delmiro Sales Silva - Ingles.pdf
Samara Delmiro
0 views
etech-group1.pptx
ChristineMaeBasco1
2 views
DX and Your Future Careers
De La Salle-College of Saint Benilde
4 views
Cloud_Ch_01_Handouts(1).pdf
MeymunaMohammed1
2 views
ANS_Ch_04_Handouts.pdf
MeymunaMohammed1
1 view
PrimePress.pptx
cuong60
1 view
Eurotech ADAS offering
federica maion
38 views
INTRODUCTION TO ICT.pptx
FernandoPrado85
0 views
Comparative-Assessment-between-PIR-and-Ultrasonic-sensor-for-Burglar-Alarm-Ap...
HectorLyn
3 views
Responsible AI_discussion draft.pdf
rocripit
2 views
DNS na AWS - Zero To Hero using Route 53
Wilson Rogerio Lopes
6 views
CEPAR Conference _20230204.pdf
Nanda Mohan Shenoy
48 views
basic electricity.pptx
DenmarkFrancisco3
4 views
Line Detection using Hough transform .pptx
shubham loni
5 views
ANS_Ch_06_Handouts.pdf
MeymunaMohammed1
1 view
51 slides
CybersecurityHQ.io News Februrary 5th, 2023
CybersecurityHQ
0 views
4 slides
Innovation project.pptx
ShikharTomar7
0 views
17 slides
HUAWEI IdeaHub Configeration Guidance v1.0.pptx
helberth73
4 views
29 slides
Level 50 - How can CSP partners build a business with Azure.pptx
ssusera5e1a91
0 views
56 slides
Machine Learning with ML.NET
Hossein Zahed
6 views
9 slides

Secure and practical authentication in API Platform

  1. 1. Secure and Practical Authentication in API Platform
  2. 2. Y Software Architect, Developer & Maintainer Symfony Core Team / LexikJWTAuthenticationBundle Project Lead / Principal Engineer @Les-Tilleus.coop twitter.com/chalas_r github.com/chalasr Robin Chalas
  3. 3. Your text How does API Platform handle authentication?
  4. 4. How API Platform handles authentication? Your text Well, it does not.
  5. 5. How API Platform handles authentication? Your text It is Symfony job.
  6. 6. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  7. 7. PHP Sessions Pros ● Convenient ● Proven (since 20+ years) Cons ● Scaling is challenging (needs extra storage or sticky sessions) ● Not RESTful
  8. 8. PHP Sessions: Native File
  9. 9. PHP Sessions: Redis
  10. 10. PHP Sessions: Json Login Authenticator
  11. 11. PHP Sessions Symfony Docs - Sessions https://symfony.com/doc/current/session.html Symfony 5: The Fast Track - Redis Sessions https://symfony.com/doc/current/the-fast-track/en/31-redis.html Read More
  12. 12. PHP Sessions REST is not a religion. Using sessions for your API is fine.
  13. 13. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  14. 14. JWT Pros ● Standard Token format (RFC 7519) ● Server does not need to keep track of sessions ● Can be used in contexts where cookies are disabled ● Scales easily (any server possessing the public key can verify tokens) ● Fun to use Cons ● Complex (key management, refresh tokens...)
  15. 15. JWT composer require lexik/jwt-authentication-bundle
  16. 16. JWT: Symmetric or Asymmetric Only use asymmetric signatures (RSA/ECDSA) when multiple applications need to verify the tokens. Otherwise, use symmetric signatures (shared secret - HMAC).
  17. 17. JWT: Symmetric Config
  18. 18. JWT: Asymmetric Config
  19. 19. JWT: Asymmetric key generation
  20. 20. JWT: Firewall Config
  21. 21. JWT SymfonyCasts - Symfony RESTful API - Authentication with JWT https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle LexikJWTAuthenticationBundle documentation https://github.com/lexik/LexikJWTAuthenticationBundle Read More
  22. 22. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  23. 23. OAuth2 / OIDC If your API needs to authenticate users from third party clients, you need OAuth2.
  24. 24. OAuth2 / OIDC In this case, the libs you are looking for are league/oauth2-server and league/oauth2-client.
  25. 25. OAuth2 / OIDC: Symfony Integration For the server part, checkout league/oauth2-server-bundle (soon stable).
  26. 26. OAuth2 / OIDC: Symfony Integration For the client part, checkout knpuniversity/oauth2-client-bundle until something better comes out 😉
  27. 27. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  28. 28. Conclusion Both Sessions and JWTs are valid solutions for API authentication. Just use the one that you feel comfortable with. And, as soon as you have third party clients, use OAuth2 with OIDC.
  29. 29. Thank you! Robin Chalas Follow me on Twitter @chalas_r Sponsor me on GitHub @chalasr ANY QUESTIONS?

×