SlideShare a Scribd company logo
I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)
I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
ABOUT ME
@joel__lord
joellord
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
INTRODUCING OAUTH!
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OAUTH FLOWS
BUT WHY ?
DELEGATION!
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database
👍
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TRADITIONAL APPLICATIONS
▸ Browser requests a login page
▸ Server validates on the database
▸ It creates a session and sends back
a cookie identifier
👍
"
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled
▸ Sharing credentials to connect to a
third party API
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION?
▸ Multiple platforms connecting to
your application
▸ Tightly coupled
▸ Sharing credentials to connect to a
third party API
▸ Users have a gazillions accounts
already, which leads to password
reuse and lower conversion rates
OAUTH GRANTS
I DON’T CARE ABOUT SECURITY (AND
NEITHER SHOULD YOU)
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
👍
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
👍
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
⛔
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
AUTHORIZATION CODE
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
👍
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
IMPLICIT GRANT
👍
TOKENS 101
I DON’T CARE ABOUT SECURITY (AND
NEITHER SHOULD YOU)
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Access Tokens
▸ Gives you access to a
resource
▸ Controls access to your API
▸ Short Lived
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ Refresh Tokens
▸ Enable you to get a new
access token
▸ Longed lived
▸ Can be revoked
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ WS Federated
▸ SAML
▸ Custom stuff
▸ …
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
TOKENS
▸ WS Federated
▸ SAML
▸ Custom stuff
▸ JWT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header
▸ Payload
▸ Signature
eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header atob(‘eyJhbGciOiJIUzI1NiIsI
nR5cCI6IkpXVCJ9’);
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Header {
"alg": "HS256",
"typ": "JWT"
}
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload eyJhbGciOiJIUzI1NiIsInR5cC
I6IkpXVCJ9.eyJzdWIiOiIxMj
M0NTY3ODkwIiwibmFtZSI6I
kpvZWwgTG9yZCIsImFkbWl
uIjp0cnVlLCJzY29wZSI6InBv
c3RzOnJlYWQgcG9zdHM6
d3JpdGUifQ.XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload eyJzdWIiOiIxMjM0NTY3OD
kwIiwibmFtZSI6IkpvZWwgT
G9yZCIsImFkbWluIjp0cnVlL
CJzY29wZSI6InBvc3RzOnJl
YWQgcG9zdHM6d3JpdGUi
fQ
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload atob(‘eyJzdWIiOiIxMjM0NT
Y3ODkwIiwibmFtZSI6IkpvZ
WwgTG9yZCIsImFkbWluIjp
0cnVlLCJzY29wZSI6InBvc3R
zOnJlYWQgcG9zdHM6d3J
pdGUifQ’);
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Payload {
"sub": "1234567890",
"name": "Joel Lord",
"admin": true,
"scope": "posts:read
posts:write"
}
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Signature XesR-
pKdlscHfUwoKvHnACqfpe2
ywJ6t1BJKsq9rEcg
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
▸ Signature hmacsha256(
`${header}.${payload}`,
SECRET_KEY
);
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
JSON WEB TOKENS (JWTS, NOT JOTS)
Image: https://jwt.io
CODE TIME!
Auth Server API
var express = require('express');
var Webtask = require('webtask-tools');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var jwt = require("jsonwebtoken");
var app = express();
var users = [
{id: 1, username: "joellord", password: "joellord"},
{id: 2, username: "guest", password: "guest"}
];
app.use(bodyParser.json());
app.post("/login", function(req, res) {
if (!req.body.username || !req.body.password) return
res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password ===
req.body.password;
});
if (!user) return res.status(401).send("User not found");
var token = jwt.sign({
sub: user.id,
scope: "api:read",
username: user.username
}, "mysupersecret", {expiresIn: "10 minutes"});
var express = require('express');
var Webtask = require('webtask-tools');
var bodyParser = require('body-parser');
var jwt = require("jsonwebtoken");
var app = express();
var users = [
{id: 1, username: "joellord", password: "joellord"},
{id: 2, username: "guest", password: "guest"}
];
app.use(bodyParser.urlencoded());
app.get("/login", function(req, res) {
var loginForm = "<form method='post'><input type=hidden
name=callback value='" + req.query.callback + "'><input type=text
name=username /><input type=text name=password /><input
type=submit></form>";
res.status(200).send(loginForm);
});
app.post("/login", function(req, res) {
if (!req.body.username || !req.body.password) return
res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password ===
req.body.password;
});
if (!user) return res.status(401).send("User not found");
@joel__lord
#TCCC23
Auth Server
var express = require('express');
var bodyParser = require('body-parser');
var jwt = require("jsonwebtoken");
var app = express();
// ...
@joel__lord
#TCCC23
Auth Server
var express = require('express');
var bodyParser = require('body-parser');
var jwt = require("jsonwebtoken");
var app = express();
// ...
@joel__lord
#TCCC23
Auth Server
var express = require('express');
var bodyParser = require('body-parser');
var jwt = require("jsonwebtoken");
var app = express();
// ...
@joel__lord
#TCCC23
Auth Server
var express = require('express');
var bodyParser = require('body-parser');
var jwt = require("jsonwebtoken");
var app = express();
// ...
@joel__lord
#TCCC23
Auth Server
// Requires ...
var users = [
{id: 1, username: "joellord", password:
"joellord"},
{id: 2, username: "guest", password: "guest"}
];
@joel__lord
#TCCC23
Auth Server
// Requires ...
var users = [...];
app.use(bodyParser.urlencoded());
app.post("/login", function(req, res) {
// POST for login
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
Auth Server
// Requires ...
var users = [...];
app.use(bodyParser.urlencoded());
app.post("/login", function(req, res) {
// POST for login
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
Auth Server
app.post("/login", function(req, res) {
// POST for login
if (!req.body.username || !req.body.password)
return res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password === req.body.password;
});
if (!user) return res.status(401).send("User not found");
var token = jwt.sign({
sub: user.id,
scope: "api:read",
username: user.username
}, "mysupersecret", {expiresIn: "10 minutes"});
res.redirect(req.body.callback + "#access_token=" + token);
});
@joel__lord
#TCCC23
Auth Server
app.post("/login", function(req, res) {
// POST for login
if (!req.body.username || !req.body.password)
return res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password === req.body.password;
});
if (!user) return res.status(401).send("User not found");
var token = jwt.sign({
sub: user.id,
scope: "api:read",
username: user.username
}, "mysupersecret", {expiresIn: "10 minutes"});
res.redirect(req.body.callback + "#access_token=" + token);
});
@joel__lord
#TCCC23
Auth Server
app.post("/login", function(req, res) {
// POST for login
if (!req.body.username || !req.body.password)
return res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password === req.body.password;
});
if (!user) return res.status(401).send("User not found");
var token = jwt.sign({
sub: user.id,
scope: "api:read",
username: user.username
}, "mysupersecret", {expiresIn: "10 minutes"});
res.redirect(req.body.callback + "#access_token=" + token);
});
@joel__lord
#TCCC23
Auth Server
app.post("/login", function(req, res) {
// POST for login
if (!req.body.username || !req.body.password)
return res.status(400).send("Need username and password");
var user = users.find(function(u) {
return u.username === req.body.username && u.password === req.body.password;
});
if (!user) return res.status(401).send("User not found");
var token = jwt.sign({
sub: user.id,
scope: "api:read",
username: user.username
}, "mysupersecret", {expiresIn: "10 minutes"});
res.redirect(req.body.callback + "#access_token=" + token);
});
@joel__lord
#TCCC23
Auth Server
// Requires ...
var users = [...];
app.use(bodyParser.urlencoded());
app.post("/login", function(req, res) {
// POST for login
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
app.listen(8080, () => console.log("Auth server running on
8080"));}
@joel__lord
#TCCC23
API
var express = require('express');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var expressjwt = require("express-jwt");
var app = express();
@joel__lord
#TCCC23
API
var express = require('express');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var expressjwt = require("express-jwt");
var app = express();
@joel__lord
#TCCC23
API
var express = require('express');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var expressjwt = require("express-jwt");
var app = express();
@joel__lord
#TCCC23
API
var express = require('express');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var expressjwt = require("express-jwt");
var app = express();
@joel__lord
#TCCC23
API
var express = require('express');
var bodyParser = require('body-parser');
var randopeep = require("randopeep");
var expressjwt = require("express-jwt");
var app = express();
@joel__lord
#TCCC23
API
// Requires ...
var jwtCheck = expressjwt({
secret: "mysupersecret"
});
@joel__lord
#TCCC23
API
// Requires and config ...
app.get("/headline", function(req, res) {
// Unprotected
res.status(200).send(randopeep.clickbait.headline());
});
app.get("/protected/headline", jwtCheck, function(req, res) {
// Protected
res.status(200).send(randopeep.clickbait.headline("Joel Lord"));
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
API
// Requires and config ...
app.get("/headline", function(req, res) {
// Unprotected
res.status(200).send(randopeep.clickbait.headline());
});
app.get("/protected/headline", jwtCheck, function(req, res) {
// Protected
res.status(200).send(randopeep.clickbait.headline("Joel Lord"));
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
API
// Requires and config ...
app.get("/headline", function(req, res) {
// Unprotected
res.status(200).send(randopeep.clickbait.headline());
});
app.get("/protected/headline", jwtCheck, function(req, res) {
// Protected
res.status(200).send(randopeep.clickbait.headline("Joel Lord"));
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
API
// Requires and config ...
app.get("/headline", function(req, res) {
// Unprotected
res.status(200).send(randopeep.clickbait.headline());
});
app.get("/protected/headline", jwtCheck, function(req, res) {
// Protected
res.status(200).send(randopeep.clickbait.headline("Joel Lord"));
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
@joel__lord
#TCCC23
API
// Requires and config ...
app.get("/headline", function(req, res) {
// Unprotected
});
app.get("/protected/headline", jwtCheck, function(req, res) {
// Protected
});
app.get('*', function (req, res) {
res.sendStatus(404);
});
app.listen(8888, () => console.log("API listening on 8888"));
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
DEAR DEMO GODS, PLEASE LET THIS WORK
▸ https://github.com/joellord/
secure-spa-auth0
DELEGATION!
INTRODUCING OPEN ID CONNECT!
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
▸ Built on top of OAuth 2.0
▸ OpenID Connect is to OpenId what JavaScript is to Java
▸ Provides Identity Tokens in JWT format
▸ Uses a /userinfo endpoint to provide this info
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
▸ Uses the “scope” to fetch info
▸ openid
▸ Profile
▸ email
▸ address
▸ phone
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
scope=openid%20profile
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
👍
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
👍
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
/userinfo
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
OPEN ID CONNECT
Image: https://openidconnect.net
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
DEAR DEMO GODS, PLEASE LET THIS WORK
▸ https://github.com/joellord/
secure-spa-auth0
DELEGATION!
@joel__lord
#TCCC23
I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
RESOURCES
▸ General JWT resource
▸ https://jwt.io/
▸ Learn how OIDC works
▸ https://openidconnect.net/
▸ Code samples
▸ http://bit.ly/idontcareaboutsecurity
@joel__lord
joellord
I DON’T CARE ABOUT SECURITY
(AND NEITHER SHOULD YOU)
Confoo
March 13th, 2019
THANK YOU !
TEXT
TEXT

More Related Content

More from Joel Lord

Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
Joel Lord
 
Mot de passe oublié? Absolument!
Mot de passe oublié? Absolument!Mot de passe oublié? Absolument!
Mot de passe oublié? Absolument!
Joel Lord
 
Asynchronicity: concurrency. A tale of
Asynchronicity: concurrency. A tale ofAsynchronicity: concurrency. A tale of
Asynchronicity: concurrency. A tale of
Joel Lord
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
Joel Lord
 
Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
Joel Lord
 
WTH is a JWT
WTH is a JWTWTH is a JWT
WTH is a JWT
Joel Lord
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
Joel Lord
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
WTH is a JWT
WTH is a JWTWTH is a JWT
WTH is a JWT
Joel Lord
 
Asynchonicity: concurrency. A tale of
Asynchonicity: concurrency. A tale ofAsynchonicity: concurrency. A tale of
Asynchonicity: concurrency. A tale of
Joel Lord
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
Joel Lord
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Secure your SPA with Auth0
Secure your SPA with Auth0Secure your SPA with Auth0
Secure your SPA with Auth0
Joel Lord
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
Joel Lord
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
Joel Lord
 
Rise of the Nodebots
Rise of the NodebotsRise of the Nodebots
Rise of the Nodebots
Joel Lord
 
Let's Get Physical
Let's Get PhysicalLet's Get Physical
Let's Get Physical
Joel Lord
 
Learning About Machine Learning
Learning About Machine LearningLearning About Machine Learning
Learning About Machine Learning
Joel Lord
 

More from Joel Lord (20)

Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
 
Mot de passe oublié? Absolument!
Mot de passe oublié? Absolument!Mot de passe oublié? Absolument!
Mot de passe oublié? Absolument!
 
Asynchronicity: concurrency. A tale of
Asynchronicity: concurrency. A tale ofAsynchronicity: concurrency. A tale of
Asynchronicity: concurrency. A tale of
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
 
Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
 
WTH is a JWT
WTH is a JWTWTH is a JWT
WTH is a JWT
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Forgot Password? Yes I Did!
Forgot Password? Yes I Did!Forgot Password? Yes I Did!
Forgot Password? Yes I Did!
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
WTH is a JWT
WTH is a JWTWTH is a JWT
WTH is a JWT
 
Asynchonicity: concurrency. A tale of
Asynchonicity: concurrency. A tale ofAsynchonicity: concurrency. A tale of
Asynchonicity: concurrency. A tale of
 
I Don't Care About Security
I Don't Care About Security I Don't Care About Security
I Don't Care About Security
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Secure your SPA with Auth0
Secure your SPA with Auth0Secure your SPA with Auth0
Secure your SPA with Auth0
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
 
Learning Machine Learning
Learning Machine LearningLearning Machine Learning
Learning Machine Learning
 
Rise of the Nodebots
Rise of the NodebotsRise of the Nodebots
Rise of the Nodebots
 
Let's Get Physical
Let's Get PhysicalLet's Get Physical
Let's Get Physical
 
Learning About Machine Learning
Learning About Machine LearningLearning About Machine Learning
Learning About Machine Learning
 

Recently uploaded

办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 

Recently uploaded (16)

办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 

I Don't Care About Security (And Neither Should You)

  • 1. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  • 2.
  • 3. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  • 4. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) ABOUT ME @joel__lord joellord
  • 5.
  • 6.
  • 7.
  • 8.
  • 9. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 10. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 11. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 12. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 14. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 15. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 16. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 17. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 18. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 19. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  • 22. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  • 23. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  • 24. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  • 25. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database
  • 26. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database 👍
  • 27. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database ▸ It creates a session and sends back a cookie identifier 👍
  • 28. "
  • 29. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application
  • 30. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled
  • 31. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API
  • 32. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API ▸ Users have a gazillions accounts already, which leads to password reuse and lower conversion rates
  • 33.
  • 34. OAUTH GRANTS I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  • 35. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 36. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 37. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 38. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  • 39. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  • 40. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 41. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 42. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 43. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 44. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 45. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE ⛔
  • 46. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 47. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  • 48. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 49. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 50. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 51. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 52. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  • 53. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 54. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 55. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  • 56. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  • 57. TOKENS 101 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  • 58. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Access Tokens ▸ Gives you access to a resource ▸ Controls access to your API ▸ Short Lived ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  • 59. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  • 60. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  • 61. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ …
  • 62. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ JWT
  • 63. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  • 64. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header ▸ Payload ▸ Signature eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  • 65. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  • 66. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9
  • 67. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header atob(‘eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9’);
  • 68. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header { "alg": "HS256", "typ": "JWT" }
  • 69. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  • 70. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJzdWIiOiIxMjM0NTY3OD kwIiwibmFtZSI6IkpvZWwgT G9yZCIsImFkbWluIjp0cnVlL CJzY29wZSI6InBvc3RzOnJl YWQgcG9zdHM6d3JpdGUi fQ
  • 71. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload atob(‘eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvZ WwgTG9yZCIsImFkbWluIjp 0cnVlLCJzY29wZSI6InBvc3R zOnJlYWQgcG9zdHM6d3J pdGUifQ’);
  • 72. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true, "scope": "posts:read posts:write" }
  • 73. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  • 74. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature hmacsha256( `${header}.${payload}`, SECRET_KEY );
  • 75. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) Image: https://jwt.io
  • 77. Auth Server API var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.json()); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.urlencoded()); app.get("/login", function(req, res) { var loginForm = "<form method='post'><input type=hidden name=callback value='" + req.query.callback + "'><input type=text name=username /><input type=text name=password /><input type=submit></form>"; res.status(200).send(loginForm); }); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found");
  • 78. @joel__lord #TCCC23 Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  • 79. @joel__lord #TCCC23 Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  • 80. @joel__lord #TCCC23 Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  • 81. @joel__lord #TCCC23 Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  • 82. @joel__lord #TCCC23 Auth Server // Requires ... var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ];
  • 83. @joel__lord #TCCC23 Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 84. @joel__lord #TCCC23 Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 85. @joel__lord #TCCC23 Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  • 86. @joel__lord #TCCC23 Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  • 87. @joel__lord #TCCC23 Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  • 88. @joel__lord #TCCC23 Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  • 89. @joel__lord #TCCC23 Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8080, () => console.log("Auth server running on 8080"));}
  • 90. @joel__lord #TCCC23 API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  • 91. @joel__lord #TCCC23 API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  • 92. @joel__lord #TCCC23 API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  • 93. @joel__lord #TCCC23 API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  • 94. @joel__lord #TCCC23 API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  • 95. @joel__lord #TCCC23 API // Requires ... var jwtCheck = expressjwt({ secret: "mysupersecret" });
  • 96. @joel__lord #TCCC23 API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 97. @joel__lord #TCCC23 API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 98. @joel__lord #TCCC23 API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 99. @joel__lord #TCCC23 API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  • 100. @joel__lord #TCCC23 API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8888, () => console.log("API listening on 8888"));
  • 101.
  • 102. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  • 104.
  • 105.
  • 106.
  • 107.
  • 108.
  • 109.
  • 110.
  • 111. INTRODUCING OPEN ID CONNECT!
  • 112. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Built on top of OAuth 2.0 ▸ OpenID Connect is to OpenId what JavaScript is to Java ▸ Provides Identity Tokens in JWT format ▸ Uses a /userinfo endpoint to provide this info
  • 113. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Uses the “scope” to fetch info ▸ openid ▸ Profile ▸ email ▸ address ▸ phone
  • 114. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT scope=openid%20profile
  • 115. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  • 116. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  • 117. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  • 118. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  • 119. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  • 120. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT /userinfo
  • 121. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  • 122. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT Image: https://openidconnect.net
  • 123. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  • 125. @joel__lord #TCCC23 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) RESOURCES ▸ General JWT resource ▸ https://jwt.io/ ▸ Learn how OIDC works ▸ https://openidconnect.net/ ▸ Code samples ▸ http://bit.ly/idontcareaboutsecurity
  • 126. @joel__lord joellord I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) Confoo March 13th, 2019 THANK YOU !
  • 127. TEXT
  • 128. TEXT