Successfully reported this slideshow.

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

2

Share

Upcoming SlideShare
JSON Web Token
JSON Web Token
Loading in …3
×
1 of 33
1 of 33

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

2

Share

Download to read offline

Ivan Rosolen, Head de Inovação na Arizona, fez a palestra "Json Web Token (JWT)", no PHP Experience 2016.

O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP
http://phpexperience2016.imasters.com.br/

Ivan Rosolen, Head de Inovação na Arizona, fez a palestra "Json Web Token (JWT)", no PHP Experience 2016.

O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP
http://phpexperience2016.imasters.com.br/

More Related Content

More from iMasters

Related Books

Free with a 14 day trial from Scribd

See all

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

  1. 1. JSON WEB TOKEN
  2. 2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
  3. 3. @ivanrosolen
  4. 4. Authentication
  5. 5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
  6. 6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
  7. 7. API
  8. 8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
  9. 9. - Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
  10. 10. JOSE
  11. 11. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
  12. 12. Advantages
  13. 13. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
  14. 14. Anatomy
  15. 15. header.claims.signature
  16. 16. Header { "typ": "JWT", "alg": "HS256" }
  17. 17. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
  18. 18. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
  19. 19. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 .
  20. 20. JWS - header - claims payload base64(header) . base64(claims)
  21. 21. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
  22. 22. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
  23. 23. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 . M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMT Y3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==
  24. 24. Screencast Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos. https://www.youtube.com/watch?v=k3KfK0ZS_FY
  25. 25. Warning!
  26. 26. Code
  27. 27. Github - Session - JWT - JOSE
  28. 28. Refs
  29. 29. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
  30. 30. ????
  31. 31. OBRIGADO! Visite phpsp.org.br https://joind.in/talk/05eb0

×