Mehul Patel
Hi, I'm Mehul Patel and I specialize in Information Technology and Services. I’m passionate about what I do. I am a Developer Tech by profession, an open source enthusiast, Linux geeky and a maker by heart. https://about.me/rowdymehul
Serverless authentication with jwt
Mehul Patel,@rowdymehul
About me
- I am Mehul Patel
- Engineer at Zimbra
- Mozilla Reps Mentor
- Auth0 Ambassador
What & why
credits: DZone
credits: DZone
Focus on code, not servers
credits: auth0
what is...
Image credits: keycdn.com
Image source: Google
Image source: softwareengineeringdaily.com
serverless authentication
serverless authorization
Let's talk about JWT
Further, let's explain some concepts.
- Compact
- Self-contained
When should you use JSON Web Tokens?
1. Information Exchange
2. Authorization
What is the JSON Web Token structure?
- Header
- Payload
- Signature
Below is an encoded JSON Web Token:
// Token structure
header.payload.signature
// A real world token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
Authentication Flow
Image Source: StackOverflow
How an application uses JWT to verify the authenticity of a user.
Image source: medium.com
Let's make it easy with ...
Let's take one Example...
Another example ...
Image source: auth0/docs
What is OAuth 2.0?
OAuth 2.0
An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
OAuth 2.0 roles
-
Resource Owner: the entity that can grant access to a protected resource. Typically this is the end-user.
-
Resource Server: the server hosting the protected resources. This is the API you want to access.
-
Client: the app requesting access to a protected resource on behalf of the Resource Owner.
- Authorization Server: the server that authenticates the Resource Owner, and issues Access Tokens after getting proper authorization. In this case, Auth0.
protocol flow
Visit auth0.com/opensource
THANK YOU!
OWASP’s AppSec Israel 2018
By Mehul Patel
OWASP’s AppSec Israel 2018
Authentication is one of the big parts of every application. Security is always something that is changing and evolving. In this talk, I will cover what JSON Web Tokens (JWTs) are and why using JWTs in your applications when it comes to security is awesome. Full story: https://github.com/rowdymehul/OWASP-s-AppSec-Israel-2018
