The document discusses token-based authorization and JSON web tokens (JWTs). It provides an overview of token-based authorization, including its advantages over cookie-based authorization. JWTs are described as a specification for tokens that contain encoded JSON claims in a compact URL-safe string. The document also covers OAuth2, describing its authorization grant types and flows at a high level.
Securing the Web without site-specific passwordsFrancois Marier
Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.
We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.
The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
Redis is a rock-solid platform for a
variety of real-world use cases, in particular as a poor man’s message queue. At Apple Maps, we built a service to show live
I/O from thousands of concurrent SSH sessions in real-time using Redis, Lua scripts, node.js and HTML5 Server-Sent Events.
Although our architecture isn’t ideal, and we would do things differently today, our system has performed very well in the
real-world over the past couple of years. In particular, after some initial failures, it has scaled very well as usage has grown
much faster than we had ever anticipated. I’ll talk about the initial design, implementation, and the evolution of specific
features to address real-world memory usage and performance challenges
This document discusses using JSON Web Tokens (JWT) for authentication in a system with an AngularJS client and a NodeJS backend. It describes how JWT can be used to issue tokens containing user identity information to clients after login, which are then sent back to the server on subsequent requests to verify the user without using server-side sessions. This allows building clients that work across platforms like mobile and desktop without re-implementing authentication logic in each client.
This document discusses security considerations for microservices architectures. It covers edge security using API gateways, service-to-service authentication using TLS and JWT, access control using centralized and embedded policy decision points, deployment models like Docker and Kubernetes, and the use of sidecars and service meshes like Istio for security. Key challenges with microservices include a broader attack surface, performance issues, and complexity in deployment and observability across services.
Mozilla's mission is to promote openness, innovation and opportunity on the web by making products like the Firefox browser that keep the power of the web in the hands of users everywhere. The document discusses Mozilla's mission and provides information on developing virtual reality experiences using the WebVR API and tools like A-Frame for building VR scenes and interfaces in HTML. It includes code samples and links to documentation for using the WebVR API in Firefox and other browsers.
The document discusses PGP (Pretty Good Privacy) trust levels and signatures. It expresses frustration with the complexity of PGP trust models. It then provides examples of using a PGP key database to analyze trends in PGP usage, such as the number of users from certain email providers, news organizations, intelligence agencies, and universities that utilize PGP. It also examines which PGP keys have been signed the most.
encodeURI() Used to encode a URI by replacing URL reserved characters with their UTF-8 encoding.
To know more, talk2us@ideas2it.com or visit www.ideas2it.com
The document announces several security contests including an XSS contest, a contest involving manipulating the location hash and location URL, and a CTF hosted at a website. It also mentions upcoming contests could involve categories like web, crypto, and exploitation challenges. Contact details are provided for more information.
Securing the Web without site-specific passwordsFrancois Marier
Has anyone else noticed that the OWASP Top 10 is not changing very much? Especially in the realm of authentication-related problems. I don't claim to have the one true solution for this, but one thing is certain: if we change how things are done on the web and relieve developers from having to store passwords, we can make things better.
We need to let web developers outsource their authentication needs to people who can do it well. Does that mean we should force all of our users to join Facebook? Well not really. That might work for some sites, but outsourcing all of our logins to a single for-profit company isn't a solution that works for the whole web.
The open web needs a better solution. One that enable users to choose their identity provider and shop for the most secure one if that's what they're into. This is the promise behind Persona and the BrowserID protocol. Choose your email provider carefully and let's get rid of all of these site-specific passwords that are just sitting there waiting to be leaked and cracked.
Redis is a rock-solid platform for a
variety of real-world use cases, in particular as a poor man’s message queue. At Apple Maps, we built a service to show live
I/O from thousands of concurrent SSH sessions in real-time using Redis, Lua scripts, node.js and HTML5 Server-Sent Events.
Although our architecture isn’t ideal, and we would do things differently today, our system has performed very well in the
real-world over the past couple of years. In particular, after some initial failures, it has scaled very well as usage has grown
much faster than we had ever anticipated. I’ll talk about the initial design, implementation, and the evolution of specific
features to address real-world memory usage and performance challenges
This document discusses using JSON Web Tokens (JWT) for authentication in a system with an AngularJS client and a NodeJS backend. It describes how JWT can be used to issue tokens containing user identity information to clients after login, which are then sent back to the server on subsequent requests to verify the user without using server-side sessions. This allows building clients that work across platforms like mobile and desktop without re-implementing authentication logic in each client.
This document discusses security considerations for microservices architectures. It covers edge security using API gateways, service-to-service authentication using TLS and JWT, access control using centralized and embedded policy decision points, deployment models like Docker and Kubernetes, and the use of sidecars and service meshes like Istio for security. Key challenges with microservices include a broader attack surface, performance issues, and complexity in deployment and observability across services.
Mozilla's mission is to promote openness, innovation and opportunity on the web by making products like the Firefox browser that keep the power of the web in the hands of users everywhere. The document discusses Mozilla's mission and provides information on developing virtual reality experiences using the WebVR API and tools like A-Frame for building VR scenes and interfaces in HTML. It includes code samples and links to documentation for using the WebVR API in Firefox and other browsers.
The document discusses PGP (Pretty Good Privacy) trust levels and signatures. It expresses frustration with the complexity of PGP trust models. It then provides examples of using a PGP key database to analyze trends in PGP usage, such as the number of users from certain email providers, news organizations, intelligence agencies, and universities that utilize PGP. It also examines which PGP keys have been signed the most.
encodeURI() Used to encode a URI by replacing URL reserved characters with their UTF-8 encoding.
To know more, talk2us@ideas2it.com or visit www.ideas2it.com
The document announces several security contests including an XSS contest, a contest involving manipulating the location hash and location URL, and a CTF hosted at a website. It also mentions upcoming contests could involve categories like web, crypto, and exploitation challenges. Contact details are provided for more information.
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be signed to provide proof of authenticity and integrity, and encrypted to provide confidentiality. A JWT typically contains header, payload, and signature. The payload holds claims about an entity and is digitally signed to protect integrity. JWTs can be passed in HTML and HTTP environments and used from lightweight clients.
The document demonstrates how to interact with CouchDB using its RESTful JSON API. It shows examples of creating, reading, updating and deleting documents through HTTP requests using curl. Specific examples include creating a database, adding a document, updating a document by including the revision ID, and retrieving a document by ID. The document also discusses CouchDB's document-oriented data model where all data is stored as JSON documents.
apidays LIVE New York - WT* is JWT? by Maciej Trederapidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
WT* is JWT?
Maciej Treder, Senior Software Development Engineer at Akamai Technologies
This document provides an overview of Cuckoo sandbox and tips for using and customizing it. It discusses supported platforms and hypervisors, how to retrieve analysis results using signatures, different ways to write hooks, and examples of analyzing malware like Andromeda and Locky. The document also shares some "goodies" like redirecting SMTP traffic and injecting emulator headers to trigger behaviors.
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...Luciano Mammino
This document discusses cracking JSON Web Tokens (JWT) using a distributed brute force approach in Node.js. It begins with an overview of what JWT is, how it works, and its components. It then demonstrates cracking a JWT by building a distributed system where a server coordinates multiple clients to brute force possible secrets by trying all string combinations within a given alphabet. Each client is assigned a batch of combinations to check. If a client finds the valid secret, it returns it to the server to validate the token.
JSON Web Tokens (JWTs) are a compact way to securely transmit information between parties as a JSON object signed with a secret or public/private key pair. JWTs have three parts - a header specifying the signing algorithm, a payload containing claims, and a signature. The document discusses the structure and security concerns of JWTs such as information leakage, weak algorithms, and attacks that modify the algorithm or signature.
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
He will give an introduction talk about Blockchain technology technical aspects like cryptography, protocols, APIs and scripting with focus on explaining how Bitcoin and other blockchain works and what they consist of.
Yurijs is a Chief Technical Officer at Paybis, blogger at coinside.ru , blockchain enthusiast since 2011.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
The document provides a summary of the history and development of proof-of-possession (PoP) mechanisms in the context of OAuth and related protocols over the past 16 years. It discusses early concepts like holder-of-key (HoK) and various token designs incorporating PoP like SAML assertions and JWTs. It also covers proposals like Token Binding and OAuth MTLS that aimed to provide PoP but saw limited adoption. More recently, DPoP was conceived to provide application-layer PoP for access tokens without requiring changes to TLS. The document traces the evolution of thinking and various approaches to demonstrating token possession in requests.
Luciano Mammino - Cracking JWT tokens: a tale of magic, Node.JS and parallel...Codemotion
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Cracking JWT tokens: a tale of magic, Node.JS and parallel computingLuciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
This document discusses various topics related to developing mobile web applications, including differences between iOS and Android browsers, CSS properties useful for mobile like -webkit-line-clamp, techniques for handling touch events and scrolling on mobile, and tools for debugging mobile webviews. It also provides tips on remote debugging mobile browsers from desktop and differences in events between touch and mouse.
The document provides an in-depth overview of how the Bitcoin blockchain works. It discusses key concepts like public and private keys, Bitcoin addresses, transactions, unspent transaction outputs (UTXOs), mining, blocks, and forks. Miners validate transactions by checking signatures and that inputs exceed outputs. Sometimes multiple blocks are found simultaneously, creating a fork that is resolved when the next block builds on the longest chain. The blockchain's past is immutable as each new block contains a hash of the previous block. Bitcoin provides pseudonymity rather than full anonymity. Alternative blockchain designs and applications are also discussed.
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
What problems do you need to deal with when designing an app for multiple banks? How do you solve a security of such apps? And how about a user interface design and application structure? What technologies are under the hood? And what does Zingly bring to you?
This document discusses JSON Web Tokens (JWT) for authentication. It begins by explaining the need for authorization in web applications and how token-based authentication addresses issues with server-based authentication. The structure of a JWT is described as a JSON object with a header, payload, and signature. Python libraries for working with JWT like PyJWT, Django REST Framework JWT, and Flask-JWT are presented. The document demonstrates generating and verifying JWT in Python code. Examples of using JWT for authentication in the Kalay IoT platform and Diuit messaging API are provided.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
This document summarizes ql.io, a domain specific language for consuming HTTP APIs. Ql.io allows API calls to be made with fewer lines of code and reduced data sizes compared to traditional HTTP requests. It handles parallelizing requests and joining responses implicitly. Ql.io also allows mapping HTTP resources to SQL-like queries, enabling sequential and parallel queries over multiple APIs with a simple syntax. It can be used as an HTTP gateway or from Node.js.
JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs can be signed to provide proof of authenticity and integrity, and encrypted to provide confidentiality. A JWT typically contains header, payload, and signature. The payload holds claims about an entity and is digitally signed to protect integrity. JWTs can be passed in HTML and HTTP environments and used from lightweight clients.
The document demonstrates how to interact with CouchDB using its RESTful JSON API. It shows examples of creating, reading, updating and deleting documents through HTTP requests using curl. Specific examples include creating a database, adding a document, updating a document by including the revision ID, and retrieving a document by ID. The document also discusses CouchDB's document-oriented data model where all data is stored as JSON documents.
apidays LIVE New York - WT* is JWT? by Maciej Trederapidays
apidays LIVE New York - API for Legacy Industries: Banking, Insurance, Healthcare and Retail
WT* is JWT?
Maciej Treder, Senior Software Development Engineer at Akamai Technologies
This document provides an overview of Cuckoo sandbox and tips for using and customizing it. It discusses supported platforms and hypervisors, how to retrieve analysis results using signatures, different ways to write hooks, and examples of analyzing malware like Andromeda and Locky. The document also shares some "goodies" like redirecting SMTP traffic and injecting emulator headers to trigger behaviors.
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...Luciano Mammino
This document discusses cracking JSON Web Tokens (JWT) using a distributed brute force approach in Node.js. It begins with an overview of what JWT is, how it works, and its components. It then demonstrates cracking a JWT by building a distributed system where a server coordinates multiple clients to brute force possible secrets by trying all string combinations within a given alphabet. Each client is assigned a batch of combinations to check. If a client finds the valid secret, it returns it to the server to validate the token.
JSON Web Tokens (JWTs) are a compact way to securely transmit information between parties as a JSON object signed with a secret or public/private key pair. JWTs have three parts - a header specifying the signing algorithm, a payload containing claims, and a signature. The document discusses the structure and security concerns of JWTs such as information leakage, weak algorithms, and attacks that modify the algorithm or signature.
“Technical Intro to Blockhain” by Yurijs Pimenovs from Paybis at CryptoCurren...Dace Barone
He will give an introduction talk about Blockchain technology technical aspects like cryptography, protocols, APIs and scripting with focus on explaining how Bitcoin and other blockchain works and what they consist of.
Yurijs is a Chief Technical Officer at Paybis, blogger at coinside.ru , blockchain enthusiast since 2011.
InterCon 2016 - Segurança de identidade digital levando em consideração uma a...iMasters
Erick Tedeschi fala sobre Segurança de identidade digital levando em consideração uma arquitetura de microserviço no InterCon 2016.
Saiba mais em http://intercon2016.imasters.com.br/
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...Luciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
The document provides a summary of the history and development of proof-of-possession (PoP) mechanisms in the context of OAuth and related protocols over the past 16 years. It discusses early concepts like holder-of-key (HoK) and various token designs incorporating PoP like SAML assertions and JWTs. It also covers proposals like Token Binding and OAuth MTLS that aimed to provide PoP but saw limited adoption. More recently, DPoP was conceived to provide application-layer PoP for access tokens without requiring changes to TLS. The document traces the evolution of thinking and various approaches to demonstrating token possession in requests.
Luciano Mammino - Cracking JWT tokens: a tale of magic, Node.JS and parallel...Codemotion
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
Cracking JWT tokens: a tale of magic, Node.JS and parallel computingLuciano Mammino
Learn how you can use some JavaScript/Node.js black magic to crack JWT tokens and impersonate other users or escalate privileges. Just add a pinch of ZeroMQ, a dose of parallel computing, a 4 leaf clover, mix everything applying some brute force and you'll get a powerful JWT cracking potion!
This document discusses various topics related to developing mobile web applications, including differences between iOS and Android browsers, CSS properties useful for mobile like -webkit-line-clamp, techniques for handling touch events and scrolling on mobile, and tools for debugging mobile webviews. It also provides tips on remote debugging mobile browsers from desktop and differences in events between touch and mouse.
The document provides an in-depth overview of how the Bitcoin blockchain works. It discusses key concepts like public and private keys, Bitcoin addresses, transactions, unspent transaction outputs (UTXOs), mining, blocks, and forks. Miners validate transactions by checking signatures and that inputs exceed outputs. Sometimes multiple blocks are found simultaneously, creating a fork that is resolved when the next block builds on the longest chain. The blockchain's past is immutable as each new block contains a hash of the previous block. Bitcoin provides pseudonymity rather than full anonymity. Alternative blockchain designs and applications are also discussed.
mDevCamp 2016 - Zingly, or how to design multi-banking appPetr Dvorak
What problems do you need to deal with when designing an app for multiple banks? How do you solve a security of such apps? And how about a user interface design and application structure? What technologies are under the hood? And what does Zingly bring to you?
This document discusses JSON Web Tokens (JWT) for authentication. It begins by explaining the need for authorization in web applications and how token-based authentication addresses issues with server-based authentication. The structure of a JWT is described as a JSON object with a header, payload, and signature. Python libraries for working with JWT like PyJWT, Django REST Framework JWT, and Flask-JWT are presented. The document demonstrates generating and verifying JWT in Python code. Examples of using JWT for authentication in the Kalay IoT platform and Diuit messaging API are provided.
Browser hijacking malware uses various techniques to modify users' browser settings and inject malicious code or modify webpage content without permission. Examples provided include SilentBanker, Sinowal, and Wnspoem which employ real-time HTML injection, configuration files, and HTTP forwarding to target banking websites, steal login credentials and other private data, and spread further. The malware can install browser helper objects, modify registry settings, and hijack common API calls to achieve their aims.
This document summarizes ql.io, a domain specific language for consuming HTTP APIs. Ql.io allows API calls to be made with fewer lines of code and reduced data sizes compared to traditional HTTP requests. It handles parallelizing requests and joining responses implicitly. Ql.io also allows mapping HTTP resources to SQL-like queries, enabling sequential and parallel queries over multiple APIs with a simple syntax. It can be used as an HTTP gateway or from Node.js.
The document discusses preventing attacks in ASP.NET Core. It provides an overview of topics like preventing open redirect attacks, cross-site request forgery (CSRF), cross-site scripting (XSS) attacks, using and architecture of cookies, data protection, session management, and content security policy (CSP). The speaker is an independent developer and consultant who will discuss built-in mechanisms in ASP.NET Core for addressing these security issues.
Shodan is a search engine that indexes internet-connected devices. This document provides an overview of how to use Shodan's basic search functions to identify vulnerabilities, including case studies on default credentials for Cisco devices and other internet of things devices. It also discusses how to defend against Shodan searches and tools for scanning your own network and systems.
The document discusses using Socket.io to add real-time capabilities to web applications. It provides an overview of Socket.io and how to install and use it with Node.js. Examples are given of emitting and receiving events, broadcasting to all connections, and setting up Socket.io with Express.
Talk divulgativo sull'importanza della Blockchain nel prossimo futuro. Una tecnologia che non va ignorata ne snobbata.
Talk per il Digithon 2018 / Blockchain e dintorni meetup Bari Settembre
codice qui https://github.com/gncvalente/bitcoin_playground
UI5con 2024 - Keynote: Latest News about UI5 and it’s EcosystemPeter Muessig
Learn about the latest innovations in and around OpenUI5/SAPUI5: UI5 Tooling, UI5 linter, UI5 Web Components, Web Components Integration, UI5 2.x, UI5 GenAI.
Recording:
https://www.youtube.com/live/MSdGLG2zLy8?si=INxBHTqkwHhxV5Ta&t=0
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Everything You Need to Know About X-Sign: The eSign Functionality of XfilesPr...XfilesPro
Wondering how X-Sign gained popularity in a quick time span? This eSign functionality of XfilesPro DocuPrime has many advancements to offer for Salesforce users. Explore them now!
SMS API Integration in Saudi Arabia| Best SMS API ServiceYara Milbes
Discover the benefits and implementation of SMS API integration in the UAE and Middle East. This comprehensive guide covers the importance of SMS messaging APIs, the advantages of bulk SMS APIs, and real-world case studies. Learn how CEQUENS, a leader in communication solutions, can help your business enhance customer engagement and streamline operations with innovative CPaaS, reliable SMS APIs, and omnichannel solutions, including WhatsApp Business. Perfect for businesses seeking to optimize their communication strategies in the digital age.
Mobile App Development Company In Noida | Drona InfotechDrona Infotech
Drona Infotech is a premier mobile app development company in Noida, providing cutting-edge solutions for businesses.
Visit Us For : https://www.dronainfotech.com/mobile-application-development/
E-Invoicing Implementation: A Step-by-Step Guide for Saudi Arabian CompaniesQuickdice ERP
Explore the seamless transition to e-invoicing with this comprehensive guide tailored for Saudi Arabian businesses. Navigate the process effortlessly with step-by-step instructions designed to streamline implementation and enhance efficiency.
Most important New features of Oracle 23c for DBAs and Developers. You can get more idea from my youtube channel video from https://youtu.be/XvL5WtaC20A
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
Unveiling the Advantages of Agile Software Development.pdfbrainerhub1
Learn about Agile Software Development's advantages. Simplify your workflow to spur quicker innovation. Jump right in! We have also discussed the advantages.
WWDC 2024 Keynote Review: For CocoaCoders AustinPatrick Weigel
Overview of WWDC 2024 Keynote Address.
Covers: Apple Intelligence, iOS18, macOS Sequoia, iPadOS, watchOS, visionOS, and Apple TV+.
Understandable dialogue on Apple TV+
On-device app controlling AI.
Access to ChatGPT with a guest appearance by Chief Data Thief Sam Altman!
App Locking! iPhone Mirroring! And a Calculator!!
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
5. 5CONFIDENTIAL
HISTORY: COOKIE-BASED (FORMS): SEQUENCE DIAGRAMM
Browser Server
Post /auth {j_username:"uName", j_password:"password"}
HTTP 200 OK. Set cookie: j_sessionId=.....
GET /api/smth Cookie: j_sessionId=.....
HTTP 200 OK. Response: {smth:....}
13. 13CONFIDENTIAL
TOKEN BASED AUTHORIZATION: SUMMARY
Supports by many frameworks
Easy implementation for distributed applications
Good support for not-browser clients
Flexible implementation: content, size, encryption, expiration
Works with different domains
- Header of requests should be extended
- Not standard
- Be careful with size
17. 17CONFIDENTIAL
JWT: STRUCTURE: PAYLOAD
{"sub": "1234567890", "name": "John Doe", "admin": true}
iss — address or name of auth center
sub — user id
aud — client name
exp — expiration
nbf — time from
iat — time of token creation
jti — token id
25. 25CONFIDENTIAL
OAUTH2: AUTHORIZATION CODE - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Request Token
Validate Token
Client side
Server side
Enter credentials
Auth code
Provide code
Client Application
https://oauth.example.com/aut
horize?response_type=code&cli
ent_id=CLIENT_ID&redirect_uri
=CALLBACK_URL&scope=read
https://yourapp.com/callback?
code=AUTHORIZATION_CODEhttps:/oauth.exapmle.com/token?
client_id=CLIENT_ID&client_secret=
CLIENT_SECRET&grant_type=authoriza
tion_code&code=AUTHORIZATION_CODE&
redirect_uri=CALLBACK_URL
{ "access_token" : "...",
"token_type" : "...",
"expires_in" : "...",
"refresh_token“ : "...“ }
26. 26CONFIDENTIAL
OAUTH2: GRANT TYPE IMPLICIT - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Auth token in
redirect
Validate Token
Client side
Server side
Enter credentials
Client Application
https://oauth.example.com/aut
horize?response_type=token&cl
ient_id=CLIENT_ID&redirect_ur
i=CALLBACK_URL&scope=read
https://yourapp.com/callback#
token=ACCESS_TOKEN
27. 27CONFIDENTIAL
OAUTH2: GRANT TYPE – USER PASSWORD - ANIMATION
Resource
server
Auth Server
Query Resource
With token
Auth token in
response
Client side
Server side
Send credentials
Validate Token
https://oauth.example.com/autho
rize?password=PASSWORD&username
=USERNAME&client_id=CLIENT_ID
28. 28CONFIDENTIAL
OAUTH2: GRANT TYPE – CLIENT CREDENTIALS
https://oauth.example.com/token?grant_type=client_c
redentials&client_id=CLIENT_ID&client_secret=CLIENT
_SECRET
31. 31CONFIDENTIAL
OAUTH2: SUMMARY
Ability to authorize user for other application
Separated login and business
Application can`t steal user info
Based on tokens
- Gaps in specification
- Different implementations in popular services
- High complexity
- Possible performance issues
! Use HTTPS
34. 34CONFIDENTIAL
LINKS
HTTP Authentication: Basic and Digest Access Authentication
link to oauth2 spec https://tools.ietf.org/html/rfc6749
JWT spec https://tools.ietf.org/html/rfc7519
https://vk.com/editapp?act=create
https://vk.com/dev/mobile_apps
https://vk.com/dev/android_sdk
https://jwt.io/introduction/
https://oauth2.thephpleague.com/requirements/ - good description
https://github.com/andrey-radzkov/tech-talk-oauth2-demo - demo
Editor's Notes
You all see this window in your browser. This is the first version of web – authentification/authorization
We want to have integrated to app desing, we don`t want to share username/password in network.
Cookie based, sometimes called forms. We have integrated design
Transfer login/pass only one time via https. Than we receive cookie with session id and use it. Simple implementation. A lot of frameworks support it by default
Minuses – we don`t control this session id generation.
Someone can steal cookie and make fake ip in ip packet
What if app client is not a browser?
Reincarnation of digest. You can control cpntent, encryption, live - time
Reincarnation of digest. You can control cpntent, encryption, live - time
Now with token based it`s easier to do authentication between several nodes and with several client types
Example of token. See for weight . No username-pass. Just encrypted string. Go through header.
Then, this JSON is Base64Url encoded to form the first part of the JWT.
Payload
The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims: reserved, public, and private claims.
Reserved claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
Notice that the claim names are only three characters long as JWT is meant to be compact.
Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
Private claims: These are the custom claims created to share information between parties that agree on using them.
Question: what is wrong?
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Can`t align(
What is it? Why? Purposes
It`s protocol about authorization.
It doesn`t handle authentication. It describes flow of data between appplications to stay secure
Question: what is wrong?
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
Simple sceme
-auth request
-get grant by user
-give grant to auth server
-Take token
-use token for resource
Code access sceme
-access resource
-decline
-go to auth server with redirect url
-Auth server shows form
-redirect to url
-grab token by code
If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
If the user clicks "Authorize Application", the service redirects the user-agent to the application redirect URI, which was specified during the client registration, along with an authorization code. The redirect would look something like this
ALLOWS USER TOEDIT INFO ON AUTH SERVER
PAGE FOR CREATION
OPTIONS
Dear listeners, our lection goes to end. We learned a little bit about oauth2 and I hope now we understand that it`s flexible way of authorization your application. Easy to add SSO, mobile clients, other resources, No needs to completely rewrite it or create “system” users.
Starting you app with OAUTH2 you will quarantee that during grow(scaling) of your app, increasing of users amount security will still be actual modern and durable. Questions?