Chances are sooner or later your shiny new single page application will need authentication. Add some security and resource access control to that list as well. But how can we integrate all of this into a single page application that is entirely public? How can we ensure that our users only have access to the resources they are authorized to by hacking way in via the console? In this talk, the attendees will learn about l JSON Web Tokens (JWT) and see how they can be used to properly secure single page applications.

1. WTH IS A JWT
IT’S NOT PRONOUNCED ‘JOT’

3. WTH IS A JWT
IT’S NOT PRONOUNCED ‘JOT’

4. @joel__lord #AllThingsOpen
WTH IS A JWT
ABOUT ME
@joel__lord
joellord

5. @joel__lord #AllThingsOpen
WTH IS A JWT
SPA BEST PRACTICES

6. @joel__lord #AllThingsOpen
WTH IS A JWT
SPA BEST PRACTICES
▸ …

7. @joel__lord
joellord
All Things Open, Raleigh, NC
October 23th, 2018
THANK YOU

8. @joel__lord #AllThingsOpen

9. @joel__lord #AllThingsOpen
https://myserver.com

10. @joel__lord #AllThingsOpen
https://myserver.com

11. @joel__lord #AllThingsOpen
https://myserver.com User

12. @joel__lord #AllThingsOpen
https://myserver.com User

13. @joel__lord #AllThingsOpen
https://myserver.com User

14. @joel__lord #AllThingsOpen
https://myserver.com User

15. @joel__lord #AllThingsOpen
https://myserver.com User
🔗

16. @joel__lord #AllThingsOpen
https://myserver.com User
🔗
⛔

17. @joel__lord #AllThingsOpen
https://myserver.com User

18. @joel__lord #AllThingsOpen
https://myserver.com User

19. @joel__lord #AllThingsOpen
https://myserver.com User

20. @joel__lord #AllThingsOpen
https://myserver.com User

21. @joel__lord #AllThingsOpen
https://api.myserver.com

22. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

23. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

24. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

25. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

26. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

27. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

28. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com
❓

29. JSON WEB
TOKENS
INTRODUCING

30. @joel__lord #AllThingsOpen
WTH IS A JWT
JSON WEB TOKENS
▸ JWT's (RFC 7519) are an open
industry standard method for
representing claims securely
between two parties.

31. @joel__lord #AllThingsOpen
WTH IS A JWT
JSON WEB TOKENS
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
XVCJ9.eyJzdWIiOjEsInNjb3BlIjoiY
XBpOnJlYWQiLCJ1c2VybmFtZSI6I
mpvZWxsb3JkIiwiaXNzIjoibXktc21
hbGwtYXV0aC1zZXJ2ZXIiLCJhdW
QiOiJteS1yYW5kb20tY2xpY2tiYW
l0LWFwaSIsImlhdCI6MTUzNzg5M
TQyOCwiZXhwIjoxNTM3ODkyMDI
4fQ.gEY3pRSdrnK5VtJI6E9vgada
OQuLNWILBvvGasR4CRk

33. @joel__lord #AllThingsOpen
WTH IS A JWT
A SIMPLE ANALOGY
▸ How is a Drivers License like a JSON Web Token?
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
XVCJ9.eyJzdWIiOjEsInNjb3BlIjoiY
XBpOnJlYWQiLCJ1c2VybmFtZSI6I
mpvZWxsb3JkIiwiaXNzIjoibXktc21
hbGwtYXV0aC1zZXJ2ZXIiLCJhdW
QiOiJteS1yYW5kb20tY2xpY2tiYW
l0LWFwaSIsImlhdCI6MTUzNzg5M
TQyOCwiZXhwIjoxNTM3ODkyMDI
4fQ.gEY3pRSdrnK5VtJI6E9vgada
OQuLNWILBvvGasR4CRk

34. @joel__lord #AllThingsOpen
WTH IS A JWT
A SIMPLE ANALOGY
▸ How is a Drivers License like a JSON Web Token?
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6Ikp
XVCJ9.eyJzdWIiOjEsInNjb3BlIjoiY
XBpOnJlYWQiLCJ1c2VybmFtZSI6I
mpvZWxsb3JkIiwiaXNzIjoibXktc21
hbGwtYXV0aC1zZXJ2ZXIiLCJhdW
QiOiJteS1yYW5kb20tY2xpY2tiYW
l0LWFwaSIsImlhdCI6MTUzNzg5M
TQyOCwiZXhwIjoxNTM3ODkyMDI
4fQ.gEY3pRSdrnK5VtJI6E9vgada
OQuLNWILBvvGasR4CRk

35. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

36. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
▸ Drivers Licence
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

37. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
▸ Drivers Licence
▸ Province of Quebec
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

38. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
▸ eyJhbGciOiJIUzI1NiIsInR5c
CI6IkpXVCJ9
▸ Drivers Licence
▸ Province of Quebec
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

39. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
▸ atob(“eyJhbGciOiJIUzI1NiI
sInR5cCI6IkpXVCJ9”);
▸ Drivers Licence
▸ Province of Quebec
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

40. @joel__lord #AllThingsOpen
WTH IS A JWT
HEADER
{
"alg": "HS256",
"typ": "JWT"
}
▸ Drivers Licence
▸ Province of Quebec
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

41. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

42. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
▸ Picture
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

43. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
▸ Picture
▸ Name
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

44. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
▸ Picture
▸ Name
▸ Date of Birth
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

45. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
▸ Picture
▸ Name
▸ Date of Birth
▸ Restrictions
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

46. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
eyJzdWIiOjEsInNjb3BlIjoiYXBpOnJlYWQiL
CJ1c2VybmFtZSI6ImpvZWxsb3JkIiwiaXNzI
joibXktc21hbGwtYXV0aC1zZXJ2ZXIiLCJhd
WQiOiJteS1yYW5kb20tY2xpY2tiYWl0LWF
waSIsImlhdCI6MTUzNzg5MTQyOCwiZXhw
IjoxNTM3ODkyMDI4fQ
▸ Picture
▸ Name
▸ Date of Birth
▸ Restrictions
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

47. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
atob(“eyJzdWIiOjEsInNjb3BlIjoiYXBpOnJlY
WQiLCJ1c2VybmFtZSI6ImpvZWxsb3JkIiwi
aXNzIjoibXktc21hbGwtYXV0aC1zZXJ2ZXIi
LCJhdWQiOiJteS1yYW5kb20tY2xpY2tiYW
l0LWFwaSIsImlhdCI6MTUzNzg5MTQyOCw
iZXhwIjoxNTM3ODkyMDI4fQ”);
▸ Picture
▸ Name
▸ Date of Birth
▸ Restrictions
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

48. @joel__lord #AllThingsOpen
WTH IS A JWT
PAYLOAD
{
"sub": 1,
"scope": "api:read",
"username": "joellord",
"iss": "my-small-auth-server",
"aud": "my-random-clickbait-api",
"iat": 1537891428,
"exp": 1537892028
}
▸ Picture
▸ Name
▸ Date of Birth
▸ Restrictions
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

49. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

50. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
▸ Holograms
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

51. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
▸ Holograms
▸ Signature
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

52. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
gEY3pRSdrnK5VtJI6E9vgada
OQuLNWILBvvGasR4CRk
▸ Holograms
▸ Signature
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

53. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
HMACSHA256(
`${header}.${payload}`,
“mysupersecret”
);
▸ Holograms
▸ Signature
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

54. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
HMACSHA256(
`${header}.${payload}`,
“mysupersecret”
);
▸ Holograms
▸ Signature
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

55. @joel__lord #AllThingsOpen
WTH IS A JWT
SIGNATURE
HMACSHA256(
`${header}.${payload}`,
“mysupersecret”
);
▸ Holograms
▸ Signature
▸ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdW
IiOjEsInNjb3BlIjoiYXBpOnJlYWQiLCJ1c2VybmFt
ZSI6ImpvZWxsb3JkIiwiaXNzIjoibXktc21hbGwtY
XV0aC1zZXJ2ZXIiLCJhdWQiOiJteS1yYW5kb20t
Y2xpY2tiYWl0LWFwaSIsImlhdCI6MTUzNzg5MT
QyOCwiZXhwIjoxNTM3ODkyMDI4fQ.gEY3pRSd
rnK5VtJI6E9vgadaOQuLNWILBvvGasR4CRk

56. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR

57. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
📝

58. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
📝

59. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
📝

60. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
📝

61. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
📝
👍

62. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR

63. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
💰

64. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
💰

65. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
💰

66. @joel__lord #AllThingsOpen
WTH IS A JWT
A TOKEN WALKS INTO A BAR
💰
✋

67. DEMO

68. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

69. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com
/api/cats
🔗

70. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com
/api/book
🔗
✋

71. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com
/api/cats
🔗

72. @joel__lord #AllThingsOpen

73. @joel__lord #AllThingsOpen
https://api.myserver.com

74. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com

75. @joel__lord #AllThingsOpen
https://api.myserver.com https://myapplication.com https://login.myserver.com

76. @joel__lord #AllThingsOpen

77. @joel__lord #AllThingsOpen
/authorize

78. @joel__lord #AllThingsOpen
/authorize

79. @joel__lord #AllThingsOpen

80. @joel__lord #AllThingsOpen
/api/cats

81. @joel__lord #AllThingsOpen
/api/cats

82. @joel__lord #AllThingsOpen
/api/cats

83. @joel__lord #AllThingsOpen
WTH IS A JWT
SENDING THE TOKEN TO THE API
▸ Using Axios

84. @joel__lord #AllThingsOpen
WTH IS A JWT
SENDING THE TOKEN TO THE API
▸ Using Fetch

85. @joel__lord #AllThingsOpen
WTH IS A JWT
SENDING THE TOKEN TO THE API

86. @joel__lord #AllThingsOpen
❓

87. @joel__lord #AllThingsOpen

88. @joel__lord #AllThingsOpen
/authorize

89. @joel__lord #AllThingsOpen
/authorize

90. @joel__lord #AllThingsOpen

91. @joel__lord #AllThingsOpen
🔄

92. @joel__lord #AllThingsOpen

93. @joel__lord #AllThingsOpen

94. @joel__lord #AllThingsOpen

95. @joel__lord #AllThingsOpen

96. @joel__lord #AllThingsOpen

97. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA
▸ You can never completely secure your front-end using
JWTs
▸ You can “hide” some routes

98. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

99. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

100. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

101. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

102. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

103. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

104. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

105. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

106. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

107. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

108. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

109. @joel__lord #AllThingsOpen
WTH IS A JWT
“SECURING” YOUR SPA

110. @joel__lord #AllThingsOpen

111. @joel__lord #AllThingsOpen

112. @joel__lord #AllThingsOpen

113. @joel__lord #AllThingsOpen

114. @joel__lord #AllThingsOpen

115. @joel__lord #AllThingsOpen

116. @joel__lord #AllThingsOpen

117. @joel__lord #AllThingsOpen

118. @joel__lord #AllThingsOpen
)

119. @joel__lord #AllThingsOpen
WTH IS A JWT
RESOURCES
▸ General JWT resource
▸ jwt.io

120. @joel__lord #AllThingsOpen
WTH IS A JWT
RESOURCES
▸ General JWT resource
▸ jwt.io
▸ Overview of JWT Signing Algorithms
▸ bit.ly/jwt-alg

121. @joel__lord #AllThingsOpen
WTH IS A JWT
RESOURCES
▸ General JWT resource
▸ jwt.io
▸ Overview of JWT Signing Algorithms
▸ bit.ly/jwt-alg
▸ JWT Handbook
▸ bit.ly/jwt-book

122. @joel__lord #AllThingsOpen
WTH IS A JWT
SUMMARY
▸ Single Page Application security is mainly concerned
with authorization.

123. @joel__lord #AllThingsOpen
WTH IS A JWT
SUMMARY
▸ Single Page Application security is mainly concerned
with authorization.
▸ JSON Web Tokens are excellent for securing SPA
applications.

124. @joel__lord #AllThingsOpen
WTH IS A JWT
SUMMARY
▸ Single Page Application security is mainly concerned
with authorization.
▸ JSON Web Tokens are excellent for securing SPA
applications.
▸ Many excellent JWT Libraries exist for all languages and
frameworks.

125. @joel__lord
joellord
All Things Open, Raleigh, NC
October 23rd, 2018
THANK YOU

127. TEXT

128. TEXT