Download as PDF, PPTX
More Related Content
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
- 1. I Don’t CareAbout Security And Neither Should You
- 2.
- 11.
- 12.
- 13.
- 14. That reminds meof OAuth!
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
- 22.
- 23. Traditional Applications ! Browser requestsa login page
- 24. Traditional Applications ! Browser requestsa login page
- 25. Traditional Applications ! Browser requestsa login page
- 26. Traditional Applications ! Browser requestsa login page ! The server validates on its database
- 27. Traditional Applications ! Browser requestsa login page ! The server validates on its database 👍
- 28. Traditional Applications ! Browser requestsa login page ! The server validates on its database ! It creates a session and provides a cookie identifier
- 29. What’s wrong with traditionalauth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
- 30. What’s wrong with traditionalauth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
- 31. What’s wrong with traditionalauth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
- 32. What’s wrong with traditionalauth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
- 33. OAuth - TheFlows Authorization Code
- 34.
- 35.
- 36.
- 37.
- 38.
- 39.
- 40.
- 41. OAuth Tokens Access Token RefreshToken ! Give you access to a resource ! Controls access to your API ! Short lived ! Enables you to get a new token ! Longed lived ! Can be revoked
- 42. OAuth Tokens ! WS-Federated ! SAML !JWT ! Custom stuff ! More…
- 43. JSON Web Token !Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
- 44. JSON Web Token !Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
- 45. JSON Web Token !Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
- 46. JSON Web Token !Header ! Payload ! Signature Image: https://jwt.io
- 47. OAuth - TheFlows Implicit Flow
- 48.
- 49.
- 50.
- 51.
- 52.
- 53.
- 54.
- 55.
- 56.
- 57.
- 69.
- 70.
- 71.
- 72. This is justlike OpenID Connect
- 73. OpenID Connect ! Builton top of OAuth 2.0 ! OpenID Connect (OIDC) is to OpenID what Javascript is to Java ! Provides Identity Tokens in JWT format ! Uses a /userinfo endpoint to provide the info
- 74. OpenID Connect Scopes ! openid !profile ! email ! address ! phone
- 75. OpenID Connect Flows AuthorizationCode scope=openid%20profile
- 76.
- 77.
- 78.
- 79.
- 80.
- 83. I Don’t CareAbout Security Montreal Front-End Developers, March 2018 @joel__lord joellord