Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Json web token api authorization

14,262 views

Published on

JWT TOKEN AND REST API

Published in: Engineering
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Shall I can get permission to I make use of the slides for my web presentation .... Acknowledgement will be given
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @m4tt88 That will not be possible as claims are subject to verification. The signature as explained in the slides consist of three components i.e. the header, payload and secret. This is further hased using HMACSHA256 (by default). The secret is the signature held by the server. This is the way that our server will be able to verify existing tokens and sign new ones.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • @m4tt88 you can change the value but when you send to server won't be valid.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Hi, I might be missing the point, but if I can take let's say my token, decode it, and change the claims so that I become an admin, then we have a problem (if I originally didn't have admin rights). Please let me know if there is such possibility.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Json web token api authorization

  1. 1. API Authorization JWT @liuggio
  2. 2. JWT ISN’T Java Web Tool...
  3. 3. JSON WEB TOKEN
  4. 4. JSON WEB TOKEN is trendy !!! google, microsoft and many others...
  5. 5. Authentication Authorization IS NOT
  6. 6. Authentication = hotel reception Authorization = Key of the room
  7. 7. Cool it ships information that can be verified and trusted with a digital signature.
  8. 8. Coooool JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server NO STATE!!!
  9. 9. NO MORE COOKIEs COOKIEs ARE BAD
  10. 10. Web server has its session storage old school with session storage
  11. 11. Web server session storage Web server Web server Web server Web serverdifficult to scale old school with session storage
  12. 12. eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp XVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAsIm5 hbWUiOiJKb2huIERvZSIsImFkbW luIjp0cnVlfQ. eoaDVGTClRdfxUZXiPs3f8FmJDk DE_VCQFXqKxpLsts JSON WEB TOKEN
  13. 13. eyJhbGciOiJIUzI1NiIsInR5cCI 6IkpXVCJ9. eyJzdWIiOjEyMzQ1Njc4OTAs Im5hbWUiOiJKb2huIERvZSIs ImFkbWluIjp0cnVlfQ. eoaDVGTClRdfxUZXiPs3f8F mJDkDE_VCQFXqKxpLsts JSON WEB TOKEN Header Claims JSON Web Signature (JWS)
  14. 14. . . JSON WEB TOKEN
  15. 15. { "alg": "HS256", "typ": "JWT" } HEADER { "id": 1234567890, "name": "John Doe", "admin": true } CLAIMS
  16. 16. header = { "alg":"HS256" } claims = { "api_id": "debugger", "exp": 1451606400, "bha": "c23543fd68fe6c8b82691ab2b402f423" } signed = HMACSHA256( base64UrlEncode(header)+"."+base64UrlEncode(claims), "secret" ) token = base64UrlEncode(header)+"."+base64UrlEncode(claims)+"."+signed
  17. 17. HTTP REQUEST curl -X POST http://pugporn.com -H 'Authorization: BEARER eyJhbGciOiJIUzI1NiJ9. eyJhcGlfaWQiOiJkZWJ1Z2dlciIsImV4cCI6MTQ1MTYwNjQwMCwiY mhhIjoiYzIzNTQzZmQ2OGZlNmM4YjgyNjkxYWIyYjQwMmY0Mj MifQ.yC0qeyxTy_QfMBhoHdAq68KIDOaqFCJNHf6g9HBD4z8' -H "Content-Type: application/json" -d “your data”
  18. 18. JWT and API GOAL 1. Authorize request 2. Verify the sender 3. Avoid Man in the middle 4. Expiration 5. Requests Cloning
  19. 19. Advantages 1/3 ● Cross-domain / CORS: cookies + CORS don't play well across different domains. ● Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contanined entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side. ● CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API.
  20. 20. Advantages 2/3 ● Mobile ready: when you start working on a native platform cookies are not ideal when consuming a secure API (you have to deal with cookie containers). ● CSRF: since you are not relying on cookies, you don't need to protect against cross site requests ● Performance: we are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.
  21. 21. Advantages 3/3 ● Functional tests, you don't need to handle any special case for login. ● Standard-based: your API could accepts a standard JSON Web Token (JWT). This is a standard and there are multiple backend libraries (.NET, Ruby, Java,Python, PHP) and companies backing their infrastructure ● Decoupling: you are not tied to a particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.
  22. 22. References Tools http://jwt.io/ http://www.timestampgenerator.com/1451606400/#result Related articles https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ https://developer.atlassian.com/static/connect/docs/concepts/understanding-jwt. html https://developers.google.com/wallet/instant-buy/about-jwts http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html RFC JWT: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html JOSE: https://tools.ietf.org/wg/jose/ VIDEO José Padilla: https://www.youtube.com/watch?v=825hodQ61bg Travis Spencer: https://www.youtube.com/watch?v=E6o3IKcQABY
  23. 23. @LIUGGIO LOVEs PUG_ROMA

×