JSON Web Tokens
Opi Danihelka
Let's talk about security
https://actum.cz:4000/employees
HTTPS
Basic access authentication
Server
Client
username, password
https://actum.cz:4000/employees
data
Server
Client
username, password
https://actum.cz:4000/employees/:email/photo
data
Basic access authentication
- send username and password with every request
- browser cached credentials (~15m)
OAuth2
Server
Client
username, password
https://actum.cz:4000/login
token
Server
Client
token
https://actum.cz:4000/employees
data
Token based authentication
Save token
JSON Web Token
- authorization token
- industry standard
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ.j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8
JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ.j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8
header.payload.signature
JWT Header
header = {
"alg": "HS256",
"typ": "JWT"
}
base64UrlEncode(header)eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
JWT Payload
payload = {
"username": "odanihelka",
"name": "Opi Danihelka",
"email": "opi.danihelka@actum.cz",
"role": "ADMIN",
"iat": 1488536024,
"exp": 1491214424
}
base64UrlEncode(payload)eyJ1c2VybmFtZSI6Im9kYW5paGVsa2EiLCJuYW1lIjoiT3BpIERhbmloZWxrYSIsImVtYWlsIjoib3BpLmRhbmloZWxrYUBhY3R1bS5jeiIsInJvbGUiOiJBRE1JTiIsImlhdCI6MTQ4ODUzNjAyNCwiZXhwIjoxNDkxMjE0NDI0fQ
JWT Signature
HMACSHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)j8oGsVPWqjnwlJGv6RZmXa2C2eAtJWBNKff00S14TQ8
Server with JWT
verify signature of every request
keep secret in secret
JWT vs. dummy access token
API security
- HTTPS
- OAuth2 with token based authentication
- token lifetime
- Don’t commit secrets into Git!!!
Thx bye
https://jwt.io/
