Download as PDF, PPTX
Uploaded byGiulio De Donato
Json web token api authorization
JWT (JSON Web Token) is a standard used to securely transmit information between parties as a JSON object. It allows servers to verify transmitted information without storing state on the server, making it more scalable. JWTs provide authentication and authorization by encoding claims about an entity (such as an user) including an ID, expiration time, and other data inside the token itself.
More Related Content
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Similar to Json web token api authorization
![Don't Loose Sleep - Secure Your Rest - php[tek] 2017](https://cdn.slidesharecdn.com/ss_thumbnails/dontloosesleep-secureyourrest-170524214928-thumbnail.jpg?width=600ounds&width=560&fit=bounds)
Json web token api authorization
- 1.
- 2.
- 3.
- 4. JSON WEB TOKEN istrendy !!! google, microsoft and many others...
- 5.
- 6. Authentication = hotelreception Authorization = Key of the room
- 7. Cool it ships information thatcan be verified and trusted with a digital signature.
- 8. Coooool JWT allows theserver to verify the information contained in the JWT without necessarily storing state on the server NO STATE!!!
- 9. NO MORE COOKIEs COOKIEsARE BAD
- 10. Web server has its session storage oldschool with session storage
- 11. Web server session storage Webserver Web server Web server Web serverdifficult to scale old school with session storage
- 13.
- 14.
- 15.
- 16. { "alg": "HS256", "typ": "JWT" } HEADER { "id":1234567890, "name": "John Doe", "admin": true } CLAIMS
- 17. header = { "alg":"HS256" } claims= { "api_id": "debugger", "exp": 1451606400, "bha": "c23543fd68fe6c8b82691ab2b402f423" } signed = HMACSHA256( base64UrlEncode(header)+"."+base64UrlEncode(claims), "secret" ) token = base64UrlEncode(header)+"."+base64UrlEncode(claims)+"."+signed
- 18. HTTP REQUEST curl -XPOST http://pugporn.com -H 'Authorization: BEARER eyJhbGciOiJIUzI1NiJ9. eyJhcGlfaWQiOiJkZWJ1Z2dlciIsImV4cCI6MTQ1MTYwNjQwMCwiY mhhIjoiYzIzNTQzZmQ2OGZlNmM4YjgyNjkxYWIyYjQwMmY0Mj MifQ.yC0qeyxTy_QfMBhoHdAq68KIDOaqFCJNHf6g9HBD4z8' -H "Content-Type: application/json" -d “your data”
- 19. JWT and APIGOAL 1. Authorize request 2. Verify the sender 3. Avoid Man in the middle 4. Expiration 5. Requests Cloning
- 20. Advantages 1/3 ● Cross-domain/ CORS: cookies + CORS don't play well across different domains. ● Stateless (a.k.a. Server side scalability): there is no need to keep a session store, the token is a self-contanined entity that conveys all the user information. The rest of the state lives in cookies or local storage on the client side. ● CDN: you can serve all the assets of your app from a CDN (e.g. javascript, HTML, images, etc.), and your server side is just the API.
- 21. Advantages 2/3 ● Mobileready: when you start working on a native platform cookies are not ideal when consuming a secure API (you have to deal with cookie containers). ● CSRF: since you are not relying on cookies, you don't need to protect against cross site requests ● Performance: we are not presenting any hard perf benchmarks here, but a network roundtrip (e.g. finding a session on database) is likely to take more time than calculating an HMACSHA256 to validate a token and parsing its contents.
- 22. Advantages 3/3 ● Functionaltests, you don't need to handle any special case for login. ● Standard-based: your API could accepts a standard JSON Web Token (JWT). This is a standard and there are multiple backend libraries (.NET, Ruby, Java,Python, PHP) and companies backing their infrastructure ● Decoupling: you are not tied to a particular authentication scheme. The token might be generated anywhere, hence your API can be called from anywhere with a single way of authenticating those calls.
- 23. References Tools http://jwt.io/ http://www.timestampgenerator.com/1451606400/#result Related articles https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/ https://developer.atlassian.com/static/connect/docs/concepts/understanding-jwt. html https://developers.google.com/wallet/instant-buy/about-jwts http://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html RFC JWT: http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html JOSE:https://tools.ietf.org/wg/jose/ VIDEO José Padilla: https://www.youtube.com/watch?v=825hodQ61bg Travis Spencer: https://www.youtube.com/watch?v=E6o3IKcQABY
- 24.
Editor's Notes
- #4 JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks. Why Are JWTs Important? They handle some of the problems with information passed from a client to a server. JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server. As a trend, we are seeing more and more SaaS products include JWT integrations as a feature or using JWT in their product directly. Stormpath has always followed secure best practices for JWTs, in several parts of our stack, so we want to share some best practices for using JWT the right way.
- #5 JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks. Why Are JWTs Important? They handle some of the problems with information passed from a client to a server. JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server. As a trend, we are seeing more and more SaaS products include JWT integrations as a feature or using JWT in their product directly. Stormpath has always followed secure best practices for JWTs, in several parts of our stack, so we want to share some best practices for using JWT the right way.
- #14 JSON Web Token (JWT) is a useful standard becoming more prevalent, because it sends information that can be verified and trusted with a digital signature. In their most basic form, JWTs allow you to sign information (referred to as claims) with a signature and can be verified at a later time with a secret signing key. The spec is also designed with more advanced features that help against man-in-the-middle and replay attacks