A Token Walks Into a Bar ...

SPA

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Ado Kukic

Joel Lord

Developer Evangelist

Auth0

@kukicado

@joel__lord

SPA

Security Best Practices

@joel__lord

...

@joel__lord

https://avengers.com

User

📃

@joel__lord

https://api.avengers.com

https://app.avengers.com

Avengers

OK Google, Call Tony Stark

@joel__lord

JSON Web Tokens

JWT's (RFC 7519) are an open industry standard method for representing claims securely between two parties.

@joel__lord

JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

@joel__lord

How is a Drivers License like a JSON Web Token?

@joel__lord

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Drivers License

New York State

{
  "alg":"HS256",
  "typ":"JWT"
}

@joel__lord

Payload

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Picture

Name

Address

Demographics

Restrictions

{
  "sub": "1234567890",
  "given_name": "Thor",      
  "family_name" : "Odinson",
  "admin": true
}

@joel__lord

Signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

UV Light

Hologram

HMACSHA256(
  header + "." + payload,
  "lokisucks"
)

@joel__lord

👍

📝

✋

💰

🔗

/v1/sos

✋

{ "status": 401 }

@joel__lord

🔑

/v1/auth

🈺

{ 
  "status": 200,
  "jwt" :"eyJhbGciOiJIU.." 
}

@joel__lord

🔗🈺

/v1/sos

-H "Authorization: Bearer eyJhbGciOiJ..."

📃

{ 
  "status": 200,
  "message" : "ok",
  "avenger" : "Hulk",
  ...
}

@joel__lord

Example (Axios)

axios.post(
  this.apiUrl + '/sos', 
  {
    description: "Help, Thanos!"
  },
  {
    headers: {
      Authorization: "Bearer " + this.jwt
    }
  }
).then(function(data){
  console.log(data); // {message: "ok", avenger: "Hulk"}
})

@joel__lord

🔑

🈺

🔗🈺

📃

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

🔑

🈺

🔗🈺

📃

🍪

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

🔄

🈺

🔗🈺

📃

🍪

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

Resources

Overview of JWT Signing Algorithms

http://bit.ly/jwt-alg

JWT Handbook

http://bit.ly/jwt-book

General JWT Resources

jwt.io

@joel__lord

Summary

JSON Web Tokens are excellent for securing SPA applications.

Many excellent JWT Libraries exist for all languages and frameworks.

Single Page Application security is mainly concerned with authorization.

A security guard couldn't stop Thor, but your server can refuse requests without valid JWT's.

@joel__lord

Thank You

@joel__lord

A Token Walks Into a Bar ...

SPA

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Ado Kukic

Joel Lord

Developer Evangelist

Auth0

@kukicado

@joel__lord

SPA

Security Best Practices

@joel__lord

...

@joel__lord

@joel__lord

@joel__lord

JSON Web Tokens

JWT's (RFC 7519) are an open industry standard method for representing claims securely between two parties.

@joel__lord

JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

@joel__lord

@joel__lord

How is a Drivers License like a JSON Web Token?

@joel__lord

Header

@joel__lord

Payload

@joel__lord

Signature

@joel__lord

📝

@joel__lord

@joel__lord

@joel__lord

Example (Axios)

@joel__lord

@joel__lord

@joel__lord

🔄

@joel__lord

Resources

@joel__lord

Summary

@joel__lord

Thank You

@joel__lord

Copy of A Token Walks Into a SPA (TakeOff Conf 2018)

Copy of A Token Walks Into a SPA (TakeOff Conf 2018)

More from Joel Lord