1.
JSON WEB TOKEN

2.
Ivan Rosolen
Graduado em Sistemas de Informação
Pós-graduado em Gerência de Projetos
Desenvolvedor a 15+ anos
Autor de vários PHPT (testes para o PHP)
Entusiasta de novas tecnologias
Head of Innovation @ Arizona
CTO @ Mokation

3.
@ivanrosolen

4.
Authentication

5.
- Form Request Post/Get
- OAuth
- Key/Hash
- Credenciais em plain text
- Session Cookies

6.
- Data is stored in plain text on the server
- Filesystem read/write requests
- Distributed/clustered applications
- Redis/Sticky sessions

7.
API

8.
- Stateless authentication (simplifies horizontal scaling)
- Prevent (mitigate) Cross-Site Request Forgery (CSRF)
attacks.
- Security (https)
- Authorization: Bearer

9.
- Authentication vs. Authorization
- 401 unauthorized / 403 forbidden
- JWT != ACL

10.
JOSE

11.
- JWT
- JWS
- JWA
- JWK
- JWE
JSON Object Signing and Encryption

12.
Advantages

13.
- JSON Web Tokens work across different programming languages
- JWTs are self-contained
- JWTs can be passed around easily and secure
- Better control like “one time token” to forgot password, confirm
user, request rates, access, etc.
- One token to rule them all (Stateless)

14.
Anatomy

15.
header.claims.signature

16.
Header
{
"typ": "JWT",
"alg": "HS256"
}

17.
Claims
- iss: The issuer of the token
- sub: The subject of the token
- aud: The audience of the token
- exp: This will probably be the registered claim most often used. This will define the expiration
in NumericDate value. The expiration MUST be after the current date/time.
- nbf: Defines the time before which the JWT MUST NOT be accepted for processing
- iat: The time the JWT was issued. Can be used to determine the age of the JWT
- jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is
helpful for a one time use token.
http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond

18.
Payload / Claims
{
"iss": "ivanrosolen.com",
"exp": 1300819380,
"name": "Ivan Rosolen",
"admin": true
}

19.
JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=
.
eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM
DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI
6IHRydWV9
.

20.
JWS
- header
- claims
payload
base64(header) . base64(claims)

21.
JWA
- secret (hmac sha256, rsa256 ....)
- encrypt payload with key ‘Xuplau’

22.
Signature
var encodedString = base64UrlEncode(header) + "."
+ base64UrlEncode(payload);
HMACSHA256(encodedString, 'Xuplau');

23.
JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=
.
eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM
DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI
6IHRydWV9
.
M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMT
Y3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==

24.
Screencast
Utilizando PHP será explicado como gerar de forma manual (sem uso de
qualquer biblioteca) um JSON Web Token, que pode ser utilizado para
compartilhar informações entre aplicações e autorizar o portador do
token a acessar dados protegidos.
https://www.youtube.com/watch?v=k3KfK0ZS_FY

25.
Warning!

26.
Code

27.
Github
- Session
- JWT
- JOSE

28.
Refs

29.
Github
https://github.com/ivanrosolen/crud-demo
JWT
https://github.com/dwyl/learn-json-web-tokens
http://jwt.io
https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html
http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication
Talks
http://www.slideshare.net/erickt86/secureapi
http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
Luís Otávio Cobucci Oblonczyk
https://github.com/lcobucci/jwt
https://github.com/Ocramius/PSR7Session

30.
????

31.
OBRIGADO!
Visite phpsp.org.br
https://joind.in/talk/05eb0