JSON WEB TOKEN

Ivan RosolenGraduado em Sistemas de InformaçãoPós-graduado em Gerência de Projetos

Desenvolvedor a 15+ anosAutor de vários PHPT (testes para o PHP)

Entusiasta de novas tecnologias

Head of Innovation @ Arizona

CTO @ Mokation

@ivanrosolen

Authentication

- Form Request Post/Get

- OAuth

- Key/Hash

- Credenciais em plain text

- Session Cookies

- Data is stored in plain text on the server

- Filesystem read/write requests

- Distributed/clustered applications

- Redis/Sticky sessions

API

- Stateless authentication (simplifies horizontal scaling)

- Prevent (mitigate) Cross-Site Request Forgery (CSRF)

attacks.

- Security (https)

- Authorization: Bearer

- Authentication vs. Authorization

- 401 unauthorized / 403 forbidden

- JWT != ACL

JOSE

- JWT

- JWS

- JWA

- JWK

- JWE

JSON Object Signing and Encryption

Advantages

- JSON Web Tokens work across different programming languages

- JWTs are self-contained

- JWTs can be passed around easily and secure

- Better control like “one time token” to forgot password, confirm

user, request rates, access, etc.

- One token to rule them all (Stateless)

Anatomy

header.claims.signature

Header

{

"typ": "JWT",

"alg": "HS256"

}

Claims- iss: The issuer of the token

- sub: The subject of the token

- aud: The audience of the token

- exp: This will probably be the registered claim most often used. This will define the expiration

in NumericDate value. The expiration MUST be after the current date/time.

- nbf: Defines the time before which the JWT MUST NOT be accepted for processing

- iat: The time the JWT was issued. Can be used to determine the age of the JWT

- jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is

helpful for a one time use token.

http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond

Payload / Claims{

"iss": "ivanrosolen.com",

"exp": 1300819380,

"name": "Ivan Rosolen",

"admin": true

}

JWT

eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=.eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwMDgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI6IHRydWV9.

JWS

- header

- claims

payload

base64(header) . base64(claims)

JWA

- secret (hmac sha256, rsa256 ....)

- encrypt payload with key ‘Xuplau’

Signature

var encodedString = base64UrlEncode(header) + "."

+ base64UrlEncode(payload);

HMACSHA256(encodedString, 'Xuplau');

JWT

eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=.eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwMDgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI6IHRydWV9.M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMTY3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==

Warning!

Code

Github

- Session

- JWT

- JOSE

DEMO

Refs

Githubhttps://github.com/ivanrosolen/crud-demo

JWThttps://github.com/dwyl/learn-json-web-tokenshttp://jwt.iohttps://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.htmlhttp://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication

Talkshttp://www.slideshare.net/erickt86/secureapihttp://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond

Luís Otávio Cobucci Oblonczykhttps://github.com/lcobucci/jwthttps://github.com/Ocramius/PSR7Session

????

OBRIGADO!

Visite phpsp.org.br