JWT based authentication with Symfony
Richard Melo
@allucardster
About me
- System Engineer
- 8+ years experience
- Fullstack Developer
- SUDO co-founder
Agenda
- Intro to JWT
- JWT based authentication
- JWT auth and Symfony
- Demo
What is JWT?
"JSON Web Token (JWT) is an open standard that defines a way for securely transmitting information between parties as a JSON object"
Features
- Compact and self-contained
- Digitally signed
- It's just simple
{
"alg": "RS256"
"type": "JWT"
}
{
"roles": [
"ROLE_SUPER_ADMIN",
"ROLE_USER"
],
"username": "admin",
"iat": 1518129280,
"exp": 1518132880
}
RSASHA256(
base64UrlEncode(header) +
"." +
base64UrlEncode(payload),
"Public Key or Certificate",
"Private Key (RSA)"
)
Header
Payload
Signature
JWT Structure
eyJhbGciOiJSUzI1NiJ9.
eyJyb2xlcyI6WyJST0xFX1NVUEVSX0FETUlOIiwiUk9MRV9VU0VSIl0sInVzZXJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTgxMjkyODAsImV4cCI6MTUxODEzMjg4MH0.
a6Y6Tkq6hXAtAXM0e4DYPEfM-4_78zh3UTO9Wa_XLt3u8murQr_WSUmq6QurAGP0LavYLCTX-rZygs_GVlBt68iKhdJRsG3d_hi7gN8dgpLC1SfT0QbWvsQPWGdRi_kgZVjz6ffsDos6lSRwWRG7N5Sm3uzgakFaNn5WI_JJVd88pUzisJLkgTxcObke_Wb4r6-p-khFMTfULvJ7gmFviF3mvDKXI_hBf1ELgfhtgjH4sxGTIjSkxeowh9q7na2HL2kL3SO6frPPQKNzCI8vxg5jqXs-ZowbqXNMx-I9uyaoMVMEiA4b96Y02gw1ixSBd8yJFNDdojm2xEvW2_TY4eN48VFtU2GWIRFmR5z0TUQYymRWqale58qydpkwvyurEezca3l3qzABip1aplmHYheGScaC9S4SCAiixzPaCKFw0fUm78RyxHPCe4lDLwPKts9zs2nPNlgYg3WDy-L1pqzjwpBEWKthjJh2WvVEKLcZ7LJS_Fb8hS6CtvOL5rsZHOy8gsZRukruRxyweAEaycuT5ceSE4EqikfkwQTkN5QIKKFS1Lcc1rR4zxl-yrJu9t5jQBPKMKWxpyWTQncnDLuGm5TL0L2BvZnT91gxiDLX9BBvO_kQzFzniU6hhJQw4uCx0X1x8xOCzj-OjXDp4zOVDARkSuJNrpNlUFue8SY
eyJhbGciOiJSUzI1NiJ9.
eyJyb2xlcyI6WyJST0xFX1NVUEVSX0FETUlOIiwiUk9MRV9VU0VSIl0sInVzZXJuYW1lIjoiYWRtaW4iLCJpYXQiOjE1MTgxMjkyODAsImV4cCI6MTUxODEzMjg4MH0.
a6Y6Tkq6hXAtAXM0e4DYPEfM-4_78zh3UTO9Wa_XLt3u8murQr_WSUmq6QurAGP0LavYLCTX-rZygs_GVlBt68iKhdJRsG3d_hi7gN8dgpLC1SfT0QbWvsQPWGdRi_kgZVjz6ffsDos6lSRwWRG7N5Sm3uzgakFaNn5WI_JJVd88pUzisJLkgTxcObke_Wb4r6-p-khFMTfULvJ7gmFviF3mvDKXI_hBf1ELgfhtgjH4sxGTIjSkxeowh9q7na2HL2kL3SO6frPPQKNzCI8vxg5jqXs-ZowbqXNMx-I9uyaoMVMEiA4b96Y02gw1ixSBd8yJFNDdojm2xEvW2_TY4eN48VFtU2GWIRFmR5z0TUQYymRWqale58qydpkwvyurEezca3l3qzABip1aplmHYheGScaC9S4SCAiixzPaCKFw0fUm78RyxHPCe4lDLwPKts9zs2nPNlgYg3WDy-L1pqzjwpBEWKthjJh2WvVEKLcZ7LJS_Fb8hS6CtvOL5rsZHOy8gsZRukruRxyweAEaycuT5ceSE4EqikfkwQTkN5QIKKFS1Lcc1rR4zxl-yrJu9t5jQBPKMKWxpyWTQncnDLuGm5TL0L2BvZnT91gxiDLX9BBvO_kQzFzniU6hhJQw4uCx0X1x8xOCzj-OjXDp4zOVDARkSuJNrpNlUFue8SY
What is JWT Based Authentication?
"It's the process by which an application confirms user identity using a json web token"
Client
Server
POST /auth username:user&password:1234
200 OK
{"token":"JWT token"}
Client
Server
GET /api/products Authorization: Bearer JWT token
200 OK
[{"id":1, "name": "Product 1"}]
Validate token
401 UNAUTHORIZED
{"message": "¯\_(ツ)_/¯"}
JWT auth in Symfony
- JWT token generator
- Validate JWT token
- Integrate validation and genrator with security schema
LexikJWTAuthenticationBundle
"It's a bundle that provides JWT authentication for Symfony projects"
Requirements
- PHP >= 5.5
- Symfony >= 2.8
- SSL certificate
In a nutshell
- Allow generate and sign JWT tokens
- Provides a JWT token authenticator
- Allow integrate with security schema through firewall config
How to install it?
composer require jwt-authcomposer require lexik/jwt-authentication-bundleDemo
Backend (API)
https://github.com/allucardster/jwt-xample
Frontend (Angular4 App)
https://github.com/allucardster/ng-jwt-xample
Thank You!
References
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://jwt.io/
- https://auth0.com/learn/angularjs-authentication/
- https://www.toptal.com/web/cookie-free-authentication-with-json-web-tokens-an-example-in-laravel-and-angularjs
- https://stormpath.com/blog/token-authentication-scalable-user-mgmt
- https://auth0.com/learn/token-based-authentication-made-easy/
- https://github.com/lexik/LexikJWTAuthenticationBundle
- https://blog.eleven-labs.com/fr/angular2-symfony3-comment-creer-rapidement-systeme-dauthentification/