Successfully reported this slideshow.
Your SlideShare is downloading. ×

Secure and practical authentication in API Platform

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad

Check these out next

1 of 29 Ad

Secure and practical authentication in API Platform

Download to read offline

The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.

Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.

In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.

The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.

Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.

In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.

Advertisement
Advertisement

More Related Content

Similar to Secure and practical authentication in API Platform (20)

Advertisement

Recently uploaded (20)

Secure and practical authentication in API Platform

  1. 1. Secure and Practical Authentication in API Platform
  2. 2. Y Software Architect, Developer & Maintainer Symfony Core Team / LexikJWTAuthenticationBundle Project Lead / Principal Engineer @Les-Tilleus.coop twitter.com/chalas_r github.com/chalasr Robin Chalas
  3. 3. Your text How does API Platform handle authentication?
  4. 4. How API Platform handles authentication? Your text Well, it does not.
  5. 5. How API Platform handles authentication? Your text It is Symfony job.
  6. 6. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  7. 7. PHP Sessions Pros ● Convenient ● Proven (since 20+ years) Cons ● Scaling is challenging (needs extra storage or sticky sessions) ● Not RESTful
  8. 8. PHP Sessions: Native File
  9. 9. PHP Sessions: Redis
  10. 10. PHP Sessions: Json Login Authenticator
  11. 11. PHP Sessions Symfony Docs - Sessions https://symfony.com/doc/current/session.html Symfony 5: The Fast Track - Redis Sessions https://symfony.com/doc/current/the-fast-track/en/31-redis.html Read More
  12. 12. PHP Sessions REST is not a religion. Using sessions for your API is fine.
  13. 13. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  14. 14. JWT Pros ● Standard Token format (RFC 7519) ● Server does not need to keep track of sessions ● Can be used in contexts where cookies are disabled ● Scales easily (any server possessing the public key can verify tokens) ● Fun to use Cons ● Complex (key management, refresh tokens...)
  15. 15. JWT composer require lexik/jwt-authentication-bundle
  16. 16. JWT: Symmetric or Asymmetric Only use asymmetric signatures (RSA/ECDSA) when multiple applications need to verify the tokens. Otherwise, use symmetric signatures (shared secret - HMAC).
  17. 17. JWT: Symmetric Config
  18. 18. JWT: Asymmetric Config
  19. 19. JWT: Asymmetric key generation
  20. 20. JWT: Firewall Config
  21. 21. JWT SymfonyCasts - Symfony RESTful API - Authentication with JWT https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle LexikJWTAuthenticationBundle documentation https://github.com/lexik/LexikJWTAuthenticationBundle Read More
  22. 22. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  23. 23. OAuth2 / OIDC If your API needs to authenticate users from third party clients, you need OAuth2.
  24. 24. OAuth2 / OIDC In this case, the libs you are looking for are league/oauth2-server and league/oauth2-client.
  25. 25. OAuth2 / OIDC: Symfony Integration For the server part, checkout league/oauth2-server-bundle (soon stable).
  26. 26. OAuth2 / OIDC: Symfony Integration For the client part, checkout knpuniversity/oauth2-client-bundle until something better comes out 😉
  27. 27. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 / OIDC
  28. 28. Conclusion Both Sessions and JWTs are valid solutions for API authentication. Just use the one that you feel comfortable with. And, as soon as you have third party clients, use OAuth2 with OIDC.
  29. 29. Thank you! Robin Chalas Follow me on Twitter @chalas_r Sponsor me on GitHub @chalasr ANY QUESTIONS?

×