A Token Walks Into a BarΒ ...
SPA
Ado Kukic
Developer Evangelist
Auth0
@kukicado
SPA
Β
Security Best Practices
...
https://piedpiper.com
User
https://api.piedpiper.com
https://app.piedpiper.com
PiedPiper
OK, PiedPiper
JSON Web Tokens
JWT's (RFC 7519) are an open industry standardΒ method for representing claims securely between two parties.
JSON Web Tokens
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI
How is a Drivers License like a JSON Web Token?
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI
Drivers License
New York State
{
"alg":"HS256",
Β "typ":"JWT"
}
Payload
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI
Picture
Name
Address
Demographics
Restrictions
{
Β "sub": "1234567890",
Β "given_name": "Thor",
Β "family_name" : "Odinson",
Β "admin": true
}
Signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI
UV Light
Hologram
HMACSHA256( header + "." + payload, "lokisucks" )
π
/v1/orders
{ "status": 401 }
/v1/auth
{
Β "status": 200,
"jwt" :"eyJhbGciOiJIU.."
}
/v1/orders
-H "Authorization: Bearer eyJhbGciOiJ..."
{ Β "status": 200, "order_id" : 138, Β "total_cost" : 27.99, Β ... }
π
Resources
Overview of JWT Signing Algorithms
http://bit.ly/jwt-alg
Slides
http://bit.ly/devops-jwt
General JWT Resources
jwt.ioΒ
Summary
JSON Web Tokens are excellent for securing SPA applications.
Many excellent HTTP LibrariesΒ exist and makes it easy to work with JWT's.
Single Page Application security is mainly concerned with authorization.Β
A security guard couldn't stop Thor, but your server can refuse requests without valid JWT's.
Thank You
@kukicado
Β