Serverless authentication with jwt

Mehul Patel,@rowdymehul

*

About me

  • I am Mehul Patel
  • Engineer at Zimbra
  • Mozilla Reps Mentor
  • Auth0 Ambassador

What   &   why

credits: DZone

credits: DZone

Focus on code, not servers

credits: auth0

what is...

Image credits: keycdn.com

Image source: Google

Image source: softwareengineeringdaily.com

serverless authentication

serverless authorization

Let's talk about JWT

Further, let's explain some concepts.

  • Compact
  • Self-contained

When should you use JSON Web Tokens?

1. Information Exchange

2. Authorization

What is the JSON Web Token structure?

  • Header
  • Payload
  • Signature

Below is an encoded JSON Web Token:

// Token structure
header.payload.signature

// A real world token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Authentication Flow

Image Source: StackOverflow

How an application uses JWT to verify the authenticity of a user.

Image source: medium.com

Let's make it easy with ...

Let's take one Example...

Another example ...

Image source: auth0/docs

What is OAuth 2.0?

OAuth 2.0

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

OAuth 2.0 roles

 

 

 

  • Resource Owner: the entity that can grant access to a protected resource. Typically this is the end-user.

  • Resource Server: the server hosting the protected resources. This is the API you want to access.

  • Client: the app requesting access to a protected resource on behalf of the Resource Owner.

  • Authorization Server: the server that authenticates the Resource Owner, and issues Access Tokens after getting proper authorization. In this case, Auth0.

 

protocol flow

THANK YOU!

OWASP’s AppSec Israel 2018

By Mehul Patel

OWASP’s AppSec Israel 2018

Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome. Full story: https://github.com/rowdymehul/OWASP-s-AppSec-Israel-2018

  • 729