JSON Web Tokens

Opi Danihelka

Let's talk about security

https://actum.cz:4000/employees

HTTPS

Basic access authentication

 

Server

Client

username, password

https://actum.cz:4000/employees

data

Server

Client

username, password

https://actum.cz:4000/employees/:email/photo

data

Basic access authentication

 

  • send username and password with every request
  • browser cached credentials (~15m)

OAuth2

Server

Client

username, password

https://actum.cz:4000/login

token

Server

Client

token

https://actum.cz:4000/employees

data

Token based authentication

Save token

JSON Web Token

  • authorization token
  • industry standard

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ.j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8

 

JSON Web Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ.j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8

 

header.payload.signature

 

JWT Header

header = {
  "alg": "HS256",
  "typ": "JWT"
}

base64UrlEncode(header)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

JWT Payload

payload = {
  "username": "odanihelka",
  "name": "Opi Danihelka",
  "email": "opi.danihelka@actum.cz",
  "role": "ADMIN",
  "iat": 1488536024,
  "exp": 1491214424
}

base64UrlEncode(payload)

eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ

JWT Signature

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8

Server with JWT

verify signature of every request

 

keep secret in secret

 

JWT vs. dummy access token

API security

  • HTTPS 
  • OAuth2 with token based authentication
  • token lifetime
  • Don’t commit secrets into Git!!!

 

Thx bye

https://jwt.io/

JSON Web Tokens

By Opi Danihelka

JSON Web Tokens

  • 57