Mohammad Shahbaz Alam
Full Stack Developer, Developer Advocate @ Magic Labs, GDG-Ranchi Organizer, and Mozilla Representative. Loves speaking on Serverless, Authentication & Authorization, Security, Web Extensions and VR at meet-ups and conferences.
Serverless
Jaipur
Securing Serverless APIs using JWT
About Me
Md. Shahbaz Alam
Full Stack Developer
Tech Speaker
Auth0 Ambassador
Mozilla Reps Mentor
GDG Ranchi Organizer
@mdsbzalam
Agenda
1. Serverless
2. Authentication & Authorization
3. JWT
4. Deployment
Serverless
Serverless
What is Serverless?
Serverless, is an execution model where the cloud provider is responsible for executing a piece of code by dynamically allocating the resources. The code is typically run inside stateless containers that can be triggered by a variety of events including http requests, database events, queuing services, monitoring alerts, file uploads, scheduled events (cron jobs), etc. The code that is sent to the cloud provider for execution is usually in the form of a function. Hence serverless is sometimes referred to as “Functions as a Service” or “FaaS”.
Serverless
What is Serverless?
Let me break it down!
Serverless
What is Serverless?
- Serverless is an execution model
- Cloud providers execute the code
- by allocating resources dynamically
- the code runs inside Stateless containers
- triggered by event( http request, cron job)
- code sent to cloud providers are in the form of functions
- hence "Function as a Service" or "Fass"
Serverless
Traditional Architecture
- we are charged for keeping the server up
even when we are not using
- responsible for uptime and maintenance of the server and all its resources.
- responsible for applying the appropriate security updates
- we need to manage scaling
Serverless
in Serverless?
Serverless
Why Serverless?
Just like wireless internet has wires somewhere, serverless architectures still have servers somewhere.
What ‘serverless’ really means is that, as a developer, you don’t have to think about those servers.
You just focus on code.
Serverless
Serverless Cloud Providers
Serverless
What you can do with serverless application
- Build APIs
- Data processing
- Custom automation
Authentication & Authorization
Authentication & Authorization
Difference
Difference
Authentication & Authorization
Serverless
Authentication
Serverless Authentication
Authentication & Authorization
source: dadario.com.br
Serverless
Authorization
Serverless Authorization
Authentication & Authorization
source: dadario.com.br
JSON Web Token
JWT
What is JSON Web Tokens?
- A way to encode information
- Securely communicate JSON Objects
- Secret-based Verification
- Consists of a header, payload and signature
- Self-contained
JWT
JSON Web Token
JWT
The JWT Header
The header is a JSON Object usually consisting of the type( typ ) , which is JWT, and the algorithm used for encrypting the JWT (alg ):
{
"alg": "HS256",
"typ": "JWT"
}JWT
The JWT Payload
The Payload is a JSON object that consists of user defined attributes ( called public claims ) . Some attributes are defined in the standard ( these are called reserved claims ).
{
// reserved claim
"iss": "https://myapi.com",
// public claim
"user": "mdsbzalam"
}JWT
The JWT Signature
The Signature is the encoded header and payload, signed with a secret.
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
This accomplishes several tasks at once, including:
- Proves the identity of the sender
- Ensures the message has not changed
JWT
The JWT Token
A finished token looks like [encoded header].[encoded payload].[signature] :
JWT
The JWT Token
How an application uses JWT to verify the authenticity of a user.
Deployment
Demo
webtask.io
Demo
Demo
Demo
/**
* @param context {WebtaskContext}
*/
module.exports = function(context, cb) {
cb(null, { hello: context.query.name || 'ServerlessDays Jaipur' });
};Demo
'use latest';
import express from 'express';
import { fromExpress } from 'webtask-tools';
import bodyParser from 'body-parser';
const app = express();
app.use(bodyParser.json());
const jwksRsa = require('jwks-rsa');
const jwt = require('express-jwt');
app.use((req, res, next) => {
const issuer = 'https://' + req.webtaskContext.secrets.AUTH0_DOMAIN + '/';
jwt({
secret: jwksRsa.expressJwtSecret({ jwksUri: issuer + '.well-known/jwks.json' }),
audience: req.webtaskContext.secrets.AUDIENCE,
issuer: issuer,
algorithms: [ 'RS256' ]
})(req, res, next);
});
app.get('/test', (req, res) => {
// test endpoint, no-operation
res.send(200);
});
app.get('/', (req, res) => {
// add your logic, you can use scopes from req.user
res.json({hi: req.user.sub});
});
module.exports = fromExpress(app);
Visit to Explore!
auth0.com
Resources
General JWT Resources
jwt.io
JWT Handbook
http://bit.ly/jwt-book
WebTask
webtask.io
Connect with me
facebook.com/mdsbzalam
@mdsbzalam
@mdsbzalam
https://in.linkedin.com/in/mdsbzalam
mdsbzalam@gmail.com
Slide
Thank you
@mdsbzalam
ServerlessDays Jaipur 2019
By Mohammad Shahbaz Alam
ServerlessDays Jaipur 2019
Securing Serverless APIs using JWT
