Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Micro Web Service - Slim and JWT

3,513 views

Published on

Micro Web Service - Slim and JWT

Published in: Technology
  • Be the first to comment

Micro Web Service - Slim and JWT

  1. 1. Micro Webservice Framework Micro Webservice Framework Slim Framework Json Web Token JWT
  2. 2. Slim Framework Micro Webservice Framework Welcome Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs. At its core, Slim is a dispatcher that receives an HTTP request, invokes an appropriate callback routine, and returns an HTTP response. That’s it. Why use Slim ? ● Restful framework available ● Good document ● Provides this kind of micro framework should have and nothing more ● Very large following ● Easy to learn 1
  3. 3. Slim Framework Micro Webservice Framework PSR 7 and value objects The PSR 7 interface provides these methods to transform Request and Response objects Dependency Container Slim uses dependency container to prepare, manage, and inject application dependencies 2 Middleware You can run code before and after your Slim application to manipulate the Request and Response objects as you see fit. This is called middleware. Request and Response When you build a Slim app, you are often working directly with Request and Response objects. These objects represent the actual HTTP request received by the web server and the eventual HTTP response returned to the clients
  4. 4. Slim Framework Micro Webservice Framework 3 Why should you want to do this ? ● Protect your app (XSS) ● Authenticate ● API Logging
  5. 5. Slim Framework Micro Service Framework Request ● Methods: GET, POST, PUT, DELETE, HEAD, PATCH, OPTIONS ● URI: Host, Port, Path... ● Header: Accept... ● Body content ● Character set, content length 4 Response ● Status: 200, 204, 422, 404, 500… ● Header: append, set, detect... ● Body: size, content
  6. 6. Json Web Token Micro Service Framework What is JSON Web Token ? ● JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained ● A way for securely transmitting information between parties as a JSON object. ● This information can be verified and trusted because it is digitally signed. 5 When should you use JSON Web Token ● Authentication: once the user is logged in, each subsequent request will include the JWT ● Information Exchange: JWT are a good way of securely transmitting information between parties
  7. 7. Json Web Token Micro Service Framework Which is the JSON Web Token structure ? ● Header: The header typically consists of two parts: ○ The type of the token (JWT) ○ The hashing algorithm (HMAC, SHA256, RSA…) ● Payload: Contains three types of claims ○ Reserved: iss (issuer), exp (expiration), sub (subject)... ○ Public: These can be defined at will by those using JWTs ○ Private: Information between parties ● Signature: ○ The encoded header ○ The encoded payload ○ A secret ○ The algorithm and sign 6
  8. 8. Json Web Token Micro Service Framework Putting all together ● The output is three Base64 strings separated by dots ● The claims body is the best part! It can tell: 7
  9. 9. Json Web Token Micro Service Framework How do JSON Web Token work ? ● In Authentication, when the user successfully logs in using his credentials, a JWT will be returned and must be saved locally (local storage, but cookies can be also used) ● In Authorization, whenever the user wants to access a protected route or resource, it should send the JWT, typically in the Authorization header ● This is a stateless authentication mechanism as the user state is never saved in the server memory ● As JWT are self-contained, all the necessary information is there (reducing the need of going back to the database) 8
  10. 10. Json Web Token Micro Service Framework Why should we use JWT 9
  11. 11. Json Web Token Micro Service Framework What we are most concerned about ? ● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our server ● Stateless: NOT storing any information about our user on the server ● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating servers) ● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with forbidden requests ● CSRF (Cross Site Request Forgery): execute unwanted actions ● Compatibility: Mobile and Easy to use for public API ● Transmission: size, local storage, when… ? 10
  12. 12. Json Web Token Micro Service Framework Cookies ● Typically very small (4k hard limit) ● Sent with every request to domain ● Cookie specific storage ● Very difficult across domains ● Subject to CSRF attacks ● Less support for mobile, can’t user for external API requests ● Contains a session id ● Requires a database lookup on every request ● Server-side sessions (requests to hit same server) ● Scaling difficult 11 JWT ● Can get larger depending on info stored (8k soft limit) ● Only sent when necessary ● LocalStorage or SessionStorage ● Works from any domain ● Not subject to CSRF ● Standard for mobile auth, Easy to use for public API ● Contains verified user information ● No db lookups required ● state is stored on client ● Scales easily
  13. 13. Json Web Token Micro Service Framework JWT Things to Remember ● Base64 is NOT secure ● Encrypt sensitive info ● The best claims body (iss, exp, sub, jti, iat…) ● Keep your secret key SECRET 12
  14. 14. Json Web Token Micro Service Framework References ● http://jwt.io/introduction/ ● https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication ● http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wrong ● https://stormpath.com/blog/jwt-the-right-way/ ● http://www.slideshare.net/stormpath/securing-web-applications-with-token-authentication ● http://www.slimframework.com/docs/ 13
  15. 15. Ho Chi Minh City vdt.hutech@gmail tuyenvuong.info facebook.com/tuyendinhvuong twitter.com/tuyendinhvuong Micro Webservice Framework (F1) Micro Webservice Framework

×