Introducing 

Prezi AI.

Your new presentation assistant.

Refine, enhance, and tailor your content, source relevant images, and edit visuals quicker than ever before.

Loading…
Transcript

JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ.6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ

BTW: Don't mix up auth identifying techniques (sessions, tokens) and transport mechanisms (headers, cookies)!

JWT: JSON Web Token

IETF: RFC 7519

Using JWT with

node.js and AngularJS

Steps:

  • Client: Send authentication information
  • API: Authenticate user and generate JWT
  • Client: Retrieve token from server and store it
  • Client: Re-send token for named resources
  • Server: Validate token and grant access

Tokens Based Auth?

Let's have a look on some code...

Why JWT?

Resources

Web Tokens...

  • are pieces of information exchanged on requests
  • as header field or query parameter
  • typically used for authentication / authorization purposes
  • are transferred with every request where a access to a resource has to be authenticated
  • well known from e.g. OAuth/OAuth2
  • Benefits: CORS, easier integration with (mobile) SPA, well suited for SSO, no CSRF (no Cookies)...
  • may be seen as a "ticket" or "voucher"
  • based on IETF standards
  • based on well-known formats and algorithms
  • relatively easy to understand
  • you don't have to rely on "sessions" (stores)
  • already greatly used in production (SaaS...)
  • used by Google, Microsoft, Facebook...
  • lots of libs available for almost every language and flavour
  • Intro: http://en.wikipedia.org/wiki/JSON_Web_Token
  • RFC JWT: http://tools.ietf.org/html/rfc7519
  • RFC JSW: http://tools.ietf.org/html/rfc7515
  • Test service and resources (by Auth0): jws.io
  • Tutorial: https://auth0.com/blog/2014/01/07/angularjs-authentication-with-cookies-vs-token/

// header

{

"alg": "HS256", // denotes the algorithm used for the signature is HMAC SHA-256

"typ": "JWT" // denotes the type of token this is

}

// claims (payload)

{

"iss": "http://matthiaslienau.de", // registered claims...

"sub": "matthias@mlienau.de",

"nbf": 1434486979,

"exp": 1434490579,

"iat": 1434486979,

"jti": "id123456",

"role": "user" // example of custom field

}

Q&A?

Menu

More JSON standards: JWS / JWA / JWE

JSON Web Tokens?

  • JWS: JSON Web Signature
  • JSON content digital signed or MACed (Message Authentication Content)
  • JWE: JSON Web Encryption
  • specifies encryption capabilities
  • JWA: JSON Web Algorithm
  • specifies cryptographic capabilities

  • What are Web Tokens?
  • JSON Web Tokens: What and why is that?
  • Example: Integration with AngularJS and node.js

  • Resources / Q&A
  • pronounced jot
  • open standard since 2014/2015 (RFC 7519)
  • used to pass claims between parties in web application environments (RFC: "...passing identities of authenticated users between service identifier and identity provider")
  • based on JSON, compact, URL-safe ("web-safe")
  • self-contain "claims" which hold e.g. user info
  • uses other standards like JWS for signing and encryption purposes
  • consists of header, payload and signature

Thank you!

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwOi8vbWF0dGhpYXNsaWVuYXUuZGUiLCJzdWIiOiJtYXR0aGlhc0BtbGllbmF1LmRlIiwibmJmIjoxNDM0NDg3MTcxLCJleHAiOjE0MzQ0OTA3NzEsImlhdCI6MTQzNDQ4NzE3MSwianRpIjoiaWQxMjM0NTYifQ.6EvmzqDobXY5fBFQ0z43Zj7wy_eMNIx6bFETCKSAQeQ

About me...

Matthias Lienau

JavaScript/node.js, PHP, python, Java, HTML5, CSS3, you name it...

Web Developer since 1997

currently working as a freelancer for e.g. G+J

http://matthiaslienau.de

matthias@mlienau.de

@atufkas

Token Based Authentication with JWT / JWS

HH.js Meetup 2015/15/06 @ Google HH - Matthias Lienau

Learn more about creating dynamic, engaging presentations with Prezi