Что нам стоит ААА построить?
Oleksii Petrov
Skelia Ukraine / ETWater
System Architect
Team Lead
PHP Developer
@alexhelkar
alexhelkar
https://github.com/alexhelkar
As a
Coffee shop owner
In order to
Give a discounts to returning customers
I want to
Earn more money
(2008)
{ "exp": "1497052800", "name": "John Doe", "admin": true }
ew0KICAiZXhwIjogIjE0OTcwNTI4MDAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJhZG1pbiI6IHRydWUNCn0=
{ "alg": "HS256" }
my-secret-passphrase
ew0KICAiZXhwIjogIjE0OTcwNTI4MDAiLA0KICAibmFtZSI6ICJKb2huIERvZSIsDQogICJhZG1pbiI6IHRydWUNCn0=
ew0KICAiYWxnIjogIkhTMjU2Ig0KfQ==
HMACSHA256( Base64(Meta).Base64(Data), "my-secret-passphrase" )
d0Ao0wmaXL_X3uxLPL8K58DJvyq7vjbrFJFg85mrMe4
eyJhbGciOiJIUzI1NiJ9.eyJleHAiOiIxNDk3MDUyODAwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.d0Ao0wmaXL_X3uxLPL8K58DJvyq7vjbrFJFg85mrMe4
Session/Local storage could be a security issue
NO! It's not! Session management is you problem
Same as signed cookie. You can sign anything you want
Expiration could be used in ANY server-side implementation
NO! It's not! Session management is you problem
Same as signed cookie. You can sign anything you want
Any data you put in token will live until expiration date
Impossible to resolve this issue and remain stateless
JWT just a format for a token as many others out there
https://habrahabr.ru/post/141213/
Authentication framework
State stored on a servers
Could be premature. Hard to keep stateless. (Remember Metro?). Useful in scoped env.
Could migrate later, because clients do not matter
Otolaryngologist
Service
Neurologist
Service
Surgeon
Service
(pattern)
Amazon
Mashape
Shares Read Access
{
"name": "User",
"actions": ["User::READ"]
}
{ "name": "User", "actions": ["User::READ"] "actionsToIds":[ "MODIFY": [ "454f99ea0ed23", "ae0381edcb6f6" ] ] }
{ "name": "User", "actions": ["User::READ"] "actionsToIds":[ "MODIFY": [ "454f99ea0ed23", "ae0381edcb6f6" ] ], "children": [ { "name": "Project", "actions": ["Project::REPORTS"] } ] }
{
"id": "0e78bce089b43"
}
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ // Resources list ] ] }
{
"id": "0e78bce089b4"
"shared": [
"56a0a8e364ed": [
{
"name": "Project",
"actions": ["Project::REPORTS"] } ] ] }
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ { "name": "Project",
"actionsToIds": { "Project::REPORTS": [ "80dfd6e7c112" ] } } ] ] }
{ "id": "0e78bce089b4" "shared": [ "56a0a8e364ed": [ // Resources list ] ] "usersSharedToMe": [ "8ddc2a735157" ] }
{
"id": "e6443763fa73"
"shared": [
"56a0a8e364ed": [
// Resources list
]
]
"usersSharedToMe": [
"8ddc2a735157"
]
}
{ "id": "0e78bce089b4" // USER 1 "shared": [ "56a0a8e364ed": [ // USER 2 { "name": "Project",
"actionsToIds": { "Project::REPORTS": [ // ACTION "80dfd6e7c112" // PROJECT ] } } ] ] }
[
{
"filter": [
"userId": "56a0a8e364ed", // USER 2
"actions": [User::FULL_ACCESS]
]
},
{
"filter": [ "userId": "56a0a8e364ed", // USER 1 "projectId": "80dfd6e7c112", // Resource "actions": [Project::REPORTS] // Action ] } ]
{
"Id": "Policy1487428541537",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1485128492714",
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::your-bucket/*",
"Principal": "*"
}
]
}
@alexhelkar
alexhelkar
https://github.com/alexhelkar