Download to read offline
![Verifying a JWT
[
encodedHeader,
encodedPayload,
signature
] = jwt.split('.');
@philnash](https://image.slidesharecdn.com/bvtvsm4orlafqlkcaxxo-signature-753cb6f16dd9e78187c27f5c16d36b5d35566cf18d25ee83278c932237b78616-poli-170522152115/75/Jwt-wtf-Phil-Nash-Codemotion-Amsterdam-2017-47-2048.jpg)
Uploaded byCodemotion
Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
This document discusses JSON Web Tokens (JWT), explaining their purpose, structure, and use cases such as stateless sessions and microservice authentication. It covers how to create and verify JWTs, including encoding and signing processes, while highlighting potential pitfalls like public data and security concerns. The document also advises against using JWT for traditional session management, recommending best practices instead.
More Related Content
Similar to Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
- 2.
- 3. ARE YOU READY FORSOME ABBREVIATIONS?
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
- 12.
- 13.
- 14.
- 15.
- 16.
- 17.
- 18. JWTs • What arethey? • What can you use them for? • How do they work? • Pitfalls @philnash
- 19.
- 20. JWT “JSON Web Token(JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.” @philnash
- 21.
- 22.
- 23. JWT { "alg": "HS256", "typ": "JWT" } { "sub":"philnash@twilio.com" } @philnash
- 24.
- 25. WHAT CAN YOU USETHEM FOR?
- 26.
- 27.
- 28.
- 29. CLIENT SIDE AUTH FOR3RD PARTY SERVICES @philnash
- 30.
- 31.
- 32. Creating a JWT constheader = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "philnash@twilio.com" } @philnash
- 33.
- 34.
- 35. Header Claims -Unsecured "alg": "none" @philnash
- 36. Header Claims -Secured "alg": "HS256" @philnash
- 37. Payload Claims "iss" -issuer "sub" - subject "aud" - audience "exp" - expires at "nbf" - not before "iat" - issued at "jti" - JWT ID @philnash
- 38. Payload Claims Anything youwant! @philnash
- 39. Creating a JWT constheader = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "philnash@twilio.com" } @philnash
- 40.
- 41. Base64url encodedHeader = newBuffer(JSON.stringify(header)) .toString('base64') .replace(/=/g, "") .replace(/+/g, "-") .replace(///g, "_"); @philnash
- 42. Base64url encodedPayload = newBuffer(JSON.stringify(payload)) .toString('base64') .replace(/=/g, "") .replace(/+/g, "-") .replace(///g, "_"); @philnash
- 43.
- 44. HMAC SHA256 const crypto= require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const signature = hmac.digest('base64'); @philnash
- 45.
- 46.
- 47. Verifying a JWT [ encodedHeader, encodedPayload, signature ]= jwt.split('.'); @philnash
- 48. Decode the header constdecodedHeader = JSON.parse( new Buffer(encodedHeader, 'base64').toString('ascii') ) @philnash
- 49. Decode the payload constdecodedPayload = JSON.parse( new Buffer(encodedPayload, 'base64').toString('ascii') ) @philnash
- 50. HMAC SHA256 const crypto= require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const generatedSignature = hmac.digest('base64'); @philnash
- 51.
- 52.
- 53.
- 54.
- 55.
- 56. JWT { "alg": "HS256", "typ": "JWT" } { "sub":"philnash@twilio.com" } @philnash
- 57. JWT { "alg": "none" , "typ":"JWT" } { "sub": "philnash@twilio.com" } @philnash
- 58.
- 59.
- 60. WHAT CAN YOU USETHEM FOR?
- 61.
- 62. Stateless sessions -revocation • exp claim - token expiry time • Without state, you can't revoke individual tokens except by expiry • Requires a blacklist of revoked tokens to check against @philnash
- 63. Stateless sessions -storage • Cookies • ensure you have CSRF protection • localStorage • vulnerable to XSS • requires JS to store and insert as an Authentication header @philnash
- 64.
- 65. Microservice architecture • Authenticationserver signs tokens with private key • Other servers can verify with public key @philnash
- 66.
- 67. CLIENT SIDE AUTH FOR3RD PARTY SERVICES @philnash
- 68.
- 69. JWT, WTF? • https://jwt.io • RFC 7519 • JWTs VS Sessions • Stop using JWT for sessions • Use JWT the Right Way @philnash
- 70.
- 71.