Serverless

Jaipur

Securing Serverless APIs using JWT

About Me

Md. Shahbaz Alam

Full Stack Developer

Tech Speaker

Auth0 Ambassador

Mozilla Reps Mentor

GDG Ranchi Organizer

@mdsbzalam

Agenda

1. Serverless

2. Authentication & Authorization

3. JWT

4. Deployment

Serverless

What is Serverless?

Serverless, is an execution model where the cloud provider is responsible for executing a piece of code by dynamically allocating the resources. The code is typically run inside stateless containers that can be triggered by a variety of events including http requests, database events, queuing services, monitoring alerts, file uploads, scheduled events (cron jobs), etc. The code that is sent to the cloud provider for execution is usually in the form of a function. Hence serverless is sometimes referred to as “Functions as a Service” or “FaaS”.

Serverless

What is Serverless?

Let me break it down!

Serverless

What is Serverless?

- Serverless is an execution model

- Cloud providers execute the code

- by allocating resources dynamically

- the code runs inside Stateless containers

- triggered by event( http request, cron job)

- code sent to cloud providers are in the form of functions

- hence "Function as a Service" or "Fass"

Serverless

Traditional Architecture

- we are charged for keeping the server up

even when we are not using

- responsible for uptime and maintenance of the server and all its resources.

- responsible for applying the appropriate security updates

- we need to manage scaling

Serverless

in Serverless?

Serverless

Why Serverless?

Just like wireless internet has wires somewhere, serverless architectures still have servers somewhere.

What ‘serverless’ really means is that, as a developer, you don’t have to think about those servers.

You just focus on code.

Serverless

Serverless Cloud Providers

Serverless

What you can do with serverless application

- Build APIs

- Data processing

- Custom automation

Authentication & Authorization

Difference

Authentication & Authorization

Serverless

Authentication

Serverless Authentication

Authentication & Authorization

source: dadario.com.br

Serverless

Authorization

Serverless Authorization

Authentication & Authorization

source: dadario.com.br

JSON Web Token

JWT

What is JSON Web Tokens?

- A way to encode information

- Securely communicate JSON Objects

- Secret-based Verification

- Consists of a header, payload and signature

- Self-contained

JWT

JSON Web Token

JWT

The JWT Header

The header is a JSON Object usually consisting of the type( typ ) , which is JWT, and the algorithm used for encrypting the JWT (alg ):

{
  "alg": "HS256",
  "typ": "JWT"
}

JWT

The JWT Payload

The Payload is a JSON object that consists of user defined attributes ( called public claims ) . Some attributes are defined in the standard ( these are called reserved claims ).

{
    // reserved claim
    "iss": "https://myapi.com", 
    // public claim
    "user": "mdsbzalam" 
}

JWT

The JWT Signature

The Signature is the encoded header and payload, signed with a secret.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

This accomplishes several tasks at once, including:

Proves the identity of the sender
Ensures the message has not changed

JWT

The JWT Token

A finished token looks like [encoded header].[encoded payload].[signature] :

JWT

The JWT Token

How an application uses JWT to verify the authenticity of a user.

Deployment

Demo

webtask.io

Demo

/**
* @param context {WebtaskContext}
*/
module.exports = function(context, cb) {
  cb(null, { hello: context.query.name || 'ServerlessDays Jaipur' });
};

Demo

'use latest';

import express from 'express';
import { fromExpress } from 'webtask-tools';
import bodyParser from 'body-parser';
const app = express();

app.use(bodyParser.json());

const jwksRsa = require('jwks-rsa');
const jwt = require('express-jwt');

app.use((req, res, next) => { 
  const issuer = 'https://' + req.webtaskContext.secrets.AUTH0_DOMAIN + '/';
  jwt({
    secret: jwksRsa.expressJwtSecret({ jwksUri: issuer + '.well-known/jwks.json' }),
    audience: req.webtaskContext.secrets.AUDIENCE,
    issuer: issuer,
    algorithms: [ 'RS256' ]
  })(req, res, next);
});

app.get('/test', (req, res) => {
  // test endpoint, no-operation
  res.send(200);
});

app.get('/', (req, res) => {
  // add your logic, you can use scopes from req.user
  res.json({hi: req.user.sub});
});

module.exports = fromExpress(app);