Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Modern API Security with!
JSON Web Tokens!
Jonathan LeBlanc !
Twitter: @jcleblanc !
Book: http://bit.ly/iddatasecurity!
JSON Web Token (JWT) Specification!
!
https://tools.ietf.org/html/rfc7519!
JWT Benefits!
!
They’re self contained and help maintain a stateless
architecture.!
!
They maintain a small footprint and ...
Traditional vs Token-Based
Authentication Systems!
User logs in, server checks creds	
Session stored in sever, cookie created	
Send session data to access endpoints	
Traditi...
Issues with traditional systems!
•  Sessions: Record needs to be stored on server !
•  Scalability: With sessions in memor...
User logs in, server checks creds	
Token generated, store in localStorage	
Provide token in headers for all reqs	
Token-Ba...
How JSON Web Tokens Work!
•  Header: Token type and hashing algorithm!
•  Payload: User / verification content!
•  Signature: Header, payload, and s...
XXXXXXXX.YYYYYYYY.ZZZZZZZZ!
What a Signed Token will Look Like!
Authorization: Bearer <token>!
Transmission of a JWT via HTTP Headers!
JWT Header!
!
alg: The hashing algorithm to be used.!
!
typ: The token type. Should be JWT.!
var header_data = {!
alg: 'RSA', !
typ: 'JWT' !
};!
Example JWT Header!
Difference between HMAC SHA256 and RSA SHA256
hashing algorithms!
!
HMAC SHA256: Symmetric key cryptography, single shared...
JWT Payload (Claims)!
!
Reserved: Predefined, recommended, interoperable terms. !
!
Public: Customs claims that may be set...
Reserved Claims!
!
iss (issuer): The person that issued the token.!
sub (subject) : The subject of the token.!
aud (audien...
var payload = {!
sub: '4355676',!
exp: '1481160294',!
jti: '841112',!
role: 'admin'!
};!
Example JWT Payload!
JWT Signature!
!
Encoded Data: Base64 encoded header + payload!
!
Secret: A private key.!
var header = {!
alg: 'RSA', !
typ: 'JWT' !
};!
!
var payload = {!
sub: '4355676',!
exp: '1481160294',!
jti: '841112’!
};!
...
// generate private key!
openssl genrsa -out private.pem 2048!
!
// generate public key!
openssl rsa -in private.pem -outf...
var fs = require('fs'), !
ursa = require('ursa');!
!
// set up public / private keys!
var key = ursa.generatePrivateKey(),...
var jwt = require('jsonwebtoken'),!
fs = require('fs');!
!
// get private key!
var cert = fs.readFileSync('private.pem');!...
eyJhbGciOiJSU0EiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJ0b21Ac3Rvcm1wYXRoLmNvbSIsIm5hb
WUiOiJUb20gQWJib3R0Iiwicm9sZSI6InVzZXIifQ.Yjc...
var jwt = require('jsonwebtoken'),!
fs = require('fs');!
!
//get public key !
cert = fs.readFileSync('public.pem'); !
!
//...
Securing JWTs!
Securing JWTs!
!
•  Verify signature before trusting data in the JWT.!
•  Secure the secret key used for signing. Keys sho...
Preventing Replay Attacks!
!
To prevent replay attacks, include the following claims
to the JWT payload:!
!
•  jti (JWT ID...
JSON Web Encryption (JWE) Specification!
!
https://tools.ietf.org/html/rfc7516 !
Mixing JWTs with OAuth 2!
Benefits of the Specification!
!
Existing Trust Relationships: If a site has an existing
user relationship, that may be us...
A Bit of History!
!
OAuth, OpenID, authorization and
authentication!
JSON Web Token (JWT) Profile for OAuth 2.0
Client Authentication and Authorization Grants!
!
https://tools.ietf.org/pdf/rf...
"JWT vs OAuth" is a comparison of apples and
apple carts!
!
JWT: Authentication protocol!
OAuth: Distributed authorization...
User is forwarded to sign in, grant
permissions	
Code is provided back in URI	
Request to exchange code for token	
How the...
POST /token.oauth2 HTTP/1.1!
Host: service.example.com!
Content-Type: application/x-www-form-urlencoded!
!
grant_type=urn:...
POST /token.oauth2 HTTP/1.1!
Host: service.example.com!
Content-Type: application/x-www-form-urlencoded!
!
grant_type=auth...
Validating the JWT!
!
•  iss (required): Unique issuer identity claim.!
•  sub (required): Identity the token subject!
•  ...
Validating the JWT!
!
•  exp (required): Expiration to limit the time that the
JWT can be used.!
•  nbf (optional): Time b...
Validating the JWT!
!
•  Digitally signed / Message Authentication Code: A
valid signature / MAC must be present.!
•  Vali...
Links and More Information!
•  Specifications: !
•  JWT: https://tools.ietf.org/html/rfc7519!
•  JWT / OAuth2: https://too...
Thank You!!
Slides: slideshare.net/jcleblanc!
Jonathan LeBlanc !
Twitter: @jcleblanc !
Book: http://bit.ly/iddatasecurity!
Upcoming SlideShare
Loading in …5
×

Modern API Security with JSON Web Tokens

1,870 views

Published on

Building a modern API architecture is a constant struggle between ease of development and security. JSON Web Tokens (JWTs) introduce a means of building authentication into JSON objects being transmitted through APIs.

In this session we’ll explore how JWTs work to build verifiable and trusted objects, allowing them to be combined with standards such as OAuth 2 for capturing access tokens, leading to a secure means of JavaScript SDK dev.

Published in: Technology

Modern API Security with JSON Web Tokens

  1. 1. Modern API Security with! JSON Web Tokens! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  2. 2. JSON Web Token (JWT) Specification! ! https://tools.ietf.org/html/rfc7519!
  3. 3. JWT Benefits! ! They’re self contained and help maintain a stateless architecture.! ! They maintain a small footprint and can be passed along easily. ! ! They work well across multiple programming languages.!
  4. 4. Traditional vs Token-Based Authentication Systems!
  5. 5. User logs in, server checks creds Session stored in sever, cookie created Send session data to access endpoints Traditional Authentication Systems
  6. 6. Issues with traditional systems! •  Sessions: Record needs to be stored on server ! •  Scalability: With sessions in memory, load increases drastically in a distributed system.! •  CORS: When using multiple devices grabbing data via AJAX requests, we may run into forbidden requests.! •  CSRF Attacks: Riding session data to send commands to server from a browser that is trusted via session.!
  7. 7. User logs in, server checks creds Token generated, store in localStorage Provide token in headers for all reqs Token-Based Authentication Systems
  8. 8. How JSON Web Tokens Work!
  9. 9. •  Header: Token type and hashing algorithm! •  Payload: User / verification content! •  Signature: Header, payload, and secret!
  10. 10. XXXXXXXX.YYYYYYYY.ZZZZZZZZ! What a Signed Token will Look Like!
  11. 11. Authorization: Bearer <token>! Transmission of a JWT via HTTP Headers!
  12. 12. JWT Header! ! alg: The hashing algorithm to be used.! ! typ: The token type. Should be JWT.!
  13. 13. var header_data = {! alg: 'RSA', ! typ: 'JWT' ! };! Example JWT Header!
  14. 14. Difference between HMAC SHA256 and RSA SHA256 hashing algorithms! ! HMAC SHA256: Symmetric key cryptography, single shared private key. Faster, good between trusted parties.! ! RSA SHA256: Asymmetric key cryptography, public / private keys. Slower, good between untrusted parties.!
  15. 15. JWT Payload (Claims)! ! Reserved: Predefined, recommended, interoperable terms. ! ! Public: Customs claims that may be set at will.! ! Private: Agreed upon claims between two parties.!
  16. 16. Reserved Claims! ! iss (issuer): The person that issued the token.! sub (subject) : The subject of the token.! aud (audience) : Audience the token is intended for.! exp (expiration time) : Expiration time of the token.! nbf (not before) : Starting time token is available.! iat (issued at) : When the token was issued.! jti (JWT ID) : Unique identifier for the token. ! !
  17. 17. var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112',! role: 'admin'! };! Example JWT Payload!
  18. 18. JWT Signature! ! Encoded Data: Base64 encoded header + payload! ! Secret: A private key.!
  19. 19. var header = {! alg: 'RSA', ! typ: 'JWT' ! };! ! var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112’! };! ! HMACSHA256(! base64UrlEncode(header) + "." +! base64UrlEncode(payload),! secret)! Creating a JWT signature!
  20. 20. // generate private key! openssl genrsa -out private.pem 2048! ! // generate public key! openssl rsa -in private.pem -outform PEM -pubout -out public.pem! Creating new public / private keys (minus password for testing)!
  21. 21. var fs = require('fs'), ! ursa = require('ursa');! ! // set up public / private keys! var key = ursa.generatePrivateKey(), ! privatepem = key.toPrivatePem(),! publicpem = key.toPublicPem();! ! // store keys in .pem files ! try {! fs.writeFileSync('private.pem', privatepem, 'ascii');! fs.writeFileSync('public.pem', publicpem, 'ascii');! } catch (err) {! console.error(err);! }! Writing new public / private keys to the file system!
  22. 22. var jwt = require('jsonwebtoken'),! fs = require('fs');! ! // get private key! var cert = fs.readFileSync('private.pem');! ! // sign asynchronously with RSA SHA256 ! jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {! console.log(token);! });! Signing JSON Web Tokens !
  23. 23. eyJhbGciOiJSU0EiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJ0b21Ac3Rvcm1wYXRoLmNvbSIsIm5hb WUiOiJUb20gQWJib3R0Iiwicm9sZSI6InVzZXIifQ.Yjc3YzdkZmQ4OTM1ZjA4MDM0OTdhOTkyMz ZhM2ZiZjZjNzVkZjIzOWJmMGM5YmU4MWZiYjY1MmY1YjRkNWY1ZA! Signed Token!
  24. 24. var jwt = require('jsonwebtoken'),! fs = require('fs');! ! //get public key ! cert = fs.readFileSync('public.pem'); ! ! // verify asynchronously with RSA SHA256! jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {! console.log(payload);! });! Verifying JSON Web Tokens!
  25. 25. Securing JWTs!
  26. 26. Securing JWTs! ! •  Verify signature before trusting data in the JWT.! •  Secure the secret key used for signing. Keys should only be accessible by the issuer and consumer.! •  Do not add sensitive data to the JWT. They are signed to protect against manipulation, not encrypted.!
  27. 27. Preventing Replay Attacks! ! To prevent replay attacks, include the following claims to the JWT payload:! ! •  jti (JWT ID): Random or pseudo-random nonce.! •  exp (expiration): Time the token expires.! •  iat (issued at): Time the token was issued. !
  28. 28. JSON Web Encryption (JWE) Specification! ! https://tools.ietf.org/html/rfc7516 !
  29. 29. Mixing JWTs with OAuth 2!
  30. 30. Benefits of the Specification! ! Existing Trust Relationships: If a site has an existing user relationship, that may be used.!
  31. 31. A Bit of History! ! OAuth, OpenID, authorization and authentication!
  32. 32. JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants! ! https://tools.ietf.org/pdf/rfc7523.pdf!
  33. 33. "JWT vs OAuth" is a comparison of apples and apple carts! ! JWT: Authentication protocol! OAuth: Distributed authorization framework !
  34. 34. User is forwarded to sign in, grant permissions Code is provided back in URI Request to exchange code for token How the OAuth 2 Process Generally Works Access Token is provided back
  35. 35. POST /token.oauth2 HTTP/1.1! Host: service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer! &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.! eyJpc3Mi[...omitted for brevity...].! J9l-ZhwP[...omitted for brevity...]! Authorization Example OAuth 2 access token request with JWT!
  36. 36. POST /token.oauth2 HTTP/1.1! Host: service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&! code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&! client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt- bearer! client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.! eyJpc3Mi[...omitted for brevity...].! cC4hiUPo[...omitted for brevity...]! Authentication Example OAuth 2 access token request with JWT!
  37. 37. Validating the JWT! ! •  iss (required): Unique issuer identity claim.! •  sub (required): Identity the token subject! •  Authorization: ID of a valid delegate. ! •  Authentication: The OAuth 2 client ID.! •  aud (required): Identity of the authorization server, such as the URI endpoint. !
  38. 38. Validating the JWT! ! •  exp (required): Expiration to limit the time that the JWT can be used.! •  nbf (optional): Time before which token must not be accepted.! •  jti (optional): Uniquely identifies the token.! •  other claims (optional): Any other claims may be present.!
  39. 39. Validating the JWT! ! •  Digitally signed / Message Authentication Code: A valid signature / MAC must be present.! •  Valid JWT: Must conform to the makeup of a JWT.!
  40. 40. Links and More Information! •  Specifications: ! •  JWT: https://tools.ietf.org/html/rfc7519! •  JWT / OAuth2: https://tools.ietf.org/html/rfc7523! •  JSON Web Encryption: https://tools.ietf.org/html/ rfc7516! •  JWT Website: https://jwt.io/! •  jsonwebtoken NPM module: https://www.npmjs.com/package/ jsonwebtoken!
  41. 41. Thank You!! Slides: slideshare.net/jcleblanc! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

×