Embed Size (px)
Citation preview
JWTTo infinity& beyond!
authentication
Luís Cobucci@lcobucci
Luís Cobucci@lcobucci
Do you Tokens?us
e
If we...
IDPlease
401Unauthorized
Challengesahead!
Min date?
Expiration?
Storage?
We need SIMPLE!it
JOSEJson Object Signing and Encryption
JOSEjwt jwa jws
jwk jwe
Json Object Signing and Encryption
JWT
{ “typ”: “JWT”, “alg”: “none”}
{ “user”: { “id”: 1, “name”: “Luís Cobucci” }}
JWT
{ “typ”: “JWT”, “alg”: “none”}
{ “user”: { “id”: 1, “name”: “Luís Cobucci” }}
headers
JWT
{ “typ”: “JWT”, “alg”: “none”}
{ “user”: { “id”: 1, “name”: “Luís Cobucci” }}
headers
claims
JWT
Base64URL( )+ “.” + Base64URL( )+ “.”
headers
claims
Base64URL
+ → - / → _= → (none)
Base64URL
+ → - / → _= → (none)
URL Safe!
JWT
{ “typ”: “JWT”, “alg”: “none”}
{ “user”: { “id”: 1, “name”: “Luís Cobucci” }}
headers
claims
JWT
eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJ1c2VyIjp7ImlkIjoxLCJuYW1lIjoiTHXDrXMgQ29idWNjaSJ9fQ.
Can youtrust?
JWS
Base64URL( )+ “.” + Base64URL( )
headers
claims
payload
JWS
alg( , )payload key
JWS + JWA
alg( , )payload
- Hmac SHA (256|384|512)- RSA (256|384|512)- and more...
key
JWT + JWS
Base64URL( )+ “.” + Base64URL( )+ “.” +Base64URL( )
headers
claims
signature
JWT + JWS
{ “typ”: “JWS”, “alg”: “HS256”}
{ “user”: { “id”: 1, “name”: “Luís Cobucci” }}
headers
claimskeyHello JWT+JWS!
JWT + JWSeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyJ9.eyJ1c2VyIjp7ImlkIjoxLCJuYW1lIjoiTHXDrXMgQ29idWNjaSJ9fQ.VTYdu2yNuEToLD00A0Gpb4vMRF5cme-dzOXgjByhGss
Basic exampleClient (Single Page App)
API
key
key
Going furtherClient (Single Page App)
Proxy
private keyAuth
Collection
Borrowing
public key
public key
public key
public key
Security?
JWE!
OAuth JWT
Enemies?
OAuth
JWT
Denying
I can usewith anything!
Referenceshttps://datatracker.ietf.org/wg/jose/documents/
https://securityblog.redhat.com/2015/04/01/jose-json-object-signing-and-encryption/
http://jwt.io/
http://github.com/lcobucci/jwt
Thanks!@lcobucci
