Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
•
2 likes•707 views
We live in a world of rich client side applications and we need a secure way to authenticate our users. Session IDs are the traditional solution, but how well do they work for modern applications? You can't leave your credentials in the client, there's always someone malicious just waiting to steal them. Enter the JWT. These fancy little tokens can authenticate our users and our transactions because they know what they're allowed to do. We'll take a look at what JWTs can be used for, why to choose JWTs, how to generate them, and most importantly how to keep them.
Recommended
Recommended
More Related Content
More from Codemotion
More from Codemotion (20)
Recently uploaded
Recently uploaded (20)
Jwt, wtf? - Phil Nash - Codemotion Amsterdam 2017
- 3. ARE YOU READY FOR SOME ABBREVIATIONS?
- 8. THERE'S MORE
- 11. JOSE @philnash
- 13. AAARGH @philnash
- 17. JWT, WTF?
- 18. JWTs • What are they? • What can you use them for? • How do they work? • Pitfalls @philnash
- 19. WHAT'S A JWT?
- 20. JWT “JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.” @philnash
- 23. JWT { "alg": "HS256", "typ": "JWT" } { "sub": "philnash@twilio.com" } @philnash
- 24. @philnash
- 25. WHAT CAN YOU USE THEM FOR?
- 29. CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash
- 32. Creating a JWT const header = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "philnash@twilio.com" } @philnash
- 33. CLAIMS @philnash
- 35. Header Claims - Unsecured "alg": "none" @philnash
- 36. Header Claims - Secured "alg": "HS256" @philnash
- 37. Payload Claims "iss" - issuer "sub" - subject "aud" - audience "exp" - expires at "nbf" - not before "iat" - issued at "jti" - JWT ID @philnash
- 38. Payload Claims Anything you want! @philnash
- 39. Creating a JWT const header = { "alg": "HS256", "typ": "JWT" } const payload = { "sub": "philnash@twilio.com" } @philnash
- 41. Base64url encodedHeader = new Buffer(JSON.stringify(header)) .toString('base64') .replace(/=/g, "") .replace(/+/g, "-") .replace(///g, "_"); @philnash
- 42. Base64url encodedPayload = new Buffer(JSON.stringify(payload)) .toString('base64') .replace(/=/g, "") .replace(/+/g, "-") .replace(///g, "_"); @philnash
- 44. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const signature = hmac.digest('base64'); @philnash
- 47. Verifying a JWT [ encodedHeader, encodedPayload, signature ] = jwt.split('.'); @philnash
- 48. Decode the header const decodedHeader = JSON.parse( new Buffer(encodedHeader, 'base64').toString('ascii') ) @philnash
- 49. Decode the payload const decodedPayload = JSON.parse( new Buffer(encodedPayload, 'base64').toString('ascii') ) @philnash
- 50. HMAC SHA256 const crypto = require('crypto'); const hmac = crypto.createHmac('sha256', 'secret'); hmac.update(`${encodedHeader}.${encodedPayload}`); const generatedSignature = hmac.digest('base64'); @philnash
- 53. PITFALLS
- 56. JWT { "alg": "HS256", "typ": "JWT" } { "sub": "philnash@twilio.com" } @philnash
- 57. JWT { "alg": "none" , "typ": "JWT" } { "sub": "philnash@twilio.com" } @philnash
- 60. WHAT CAN YOU USE THEM FOR?
- 62. Stateless sessions - revocation • exp claim - token expiry time • Without state, you can't revoke individual tokens except by expiry • Requires a blacklist of revoked tokens to check against @philnash
- 63. Stateless sessions - storage • Cookies • ensure you have CSRF protection • localStorage • vulnerable to XSS • requires JS to store and insert as an Authentication header @philnash
- 65. Microservice architecture • Authentication server signs tokens with private key • Other servers can verify with public key @philnash
- 67. CLIENT SIDE AUTH FOR 3RD PARTY SERVICES @philnash
- 68. JWT, WTF?
- 69. JWT, WTF? • https://jwt.io • RFC 7519 • JWTs VS Sessions • Stop using JWT for sessions • Use JWT the Right Way @philnash
- 70. THANKS!