A Token Walks Into a BarΒ ...

SPA

Ado Kukic

Developer Evangelist

Auth0

@kukicado

Ado Kukic

Joel Lord

Developer Evangelist

Auth0

@kukicado

@joel__lord

SPA

Β 

Security Best Practices

@joel__lord

...

@joel__lord

https://avengers.com

User

πŸ“ƒ

@joel__lord

https://api.avengers.com

https://app.avengers.com

Avengers

OK Google, Call Tony Stark

@joel__lord

JSON Web Tokens

JWT's (RFC 7519) are an open industry standardΒ  method for representing claims securely between two parties.

@joel__lord

JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

@joel__lord

@joel__lord

How is a Drivers License like a JSON Web Token?

@joel__lord

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Drivers License

New York State

{
  "alg":"HS256",
Β  "typ":"JWT"
}

@joel__lord

Payload

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Picture

Name

Address

Demographics

Restrictions

{
Β  "sub": "1234567890",
Β  "given_name": "Thor",      
Β  "family_name" : "Odinson",
Β  "admin": true
}

@joel__lord

Signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

UV Light

Hologram

HMACSHA256(
  header + "." + payload,
  "lokisucks"
)

@joel__lord

πŸ‘

πŸ“

βœ‹

πŸ’°

πŸ”—

/v1/sos

βœ‹

{ "status": 401 }

@joel__lord

πŸ”‘

/v1/auth

🈺

{ 
Β  "status": 200,
  "jwt" :"eyJhbGciOiJIU.." 
}

@joel__lord

πŸ”—πŸˆΊ 

/v1/sos

-H "Authorization: Bearer eyJhbGciOiJ..."

πŸ“ƒ

{ 
Β  "status": 200,
  "message" : "ok",
Β  "avenger" : "Hulk",
Β  ...
}

@joel__lord

Example (Axios)

axios.post(
  this.apiUrl + '/sos', 
  {
    description: "Help, Thanos!"
  },
  {
    headers: {
      Authorization: "Bearer " + this.jwt
    }
  }
).then(function(data){
  console.log(data); // {message: "ok", avenger: "Hulk"}
})

@joel__lord

πŸ”‘

🈺

πŸ”—πŸˆΊ

πŸ“ƒ

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

πŸ”‘

🈺

πŸ”—πŸˆΊ

πŸ“ƒ

πŸͺ

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

πŸ”„

🈺

πŸ”—πŸˆΊ

πŸ“ƒ

πŸͺ

api.avengers.com

app.avengers.com

login.avengers.com

@joel__lord

Resources

Overview of JWT Signing Algorithms

http://bit.ly/jwt-alg

JWT Handbook

http://bit.ly/jwt-book

General JWT Resources

jwt.ioΒ 

@joel__lord

Summary

JSON Web Tokens are excellent for securing SPA applications.

Many excellent JWT LibrariesΒ exist for all languages and frameworks.

Single Page Application security is mainly concerned with authorization.Β 

A security guard couldn't stop Thor, but your server can refuse requests without valid JWT's.

@joel__lord

Thank You

@joel__lord

Made with Slides.com