Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

1,248 views

Published on

Ivan Rosolen, Head de Inovação na Arizona, fez a palestra "Json Web Token (JWT)", no PHP Experience 2016.

O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP
http://phpexperience2016.imasters.com.br/

Published in: Education
  • Be the first to comment

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

  1. 1. JSON WEB TOKEN
  2. 2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
  3. 3. @ivanrosolen
  4. 4. Authentication
  5. 5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
  6. 6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
  7. 7. API
  8. 8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
  9. 9. - Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
  10. 10. JOSE
  11. 11. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
  12. 12. Advantages
  13. 13. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
  14. 14. Anatomy
  15. 15. header.claims.signature
  16. 16. Header { "typ": "JWT", "alg": "HS256" }
  17. 17. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
  18. 18. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
  19. 19. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 .
  20. 20. JWS - header - claims payload base64(header) . base64(claims)
  21. 21. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
  22. 22. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
  23. 23. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 . M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMT Y3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==
  24. 24. Screencast Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos. https://www.youtube.com/watch?v=k3KfK0ZS_FY
  25. 25. Warning!
  26. 26. Code
  27. 27. Github - Session - JWT - JOSE
  28. 28. Refs
  29. 29. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
  30. 30. ????
  31. 31. OBRIGADO! Visite phpsp.org.br https://joind.in/talk/05eb0

×