Download as PDF, PPTX
Uploaded byIvan Rosolen
Autenticação com Json Web Token (JWT)
Ivan Rosolen is an expert in information systems and project management, with over 15 years of experience in development, focusing on JSON Web Tokens (JWT) for authentication and authorization. The document details aspects of JWT, including its structure, advantages, security considerations, and how it facilitates stateless authentication. It also includes code references, usage examples, and numerous resources for further learning on JWT and related technologies.
Autenticação com Json Web Token (JWT)
- 1.
- 2. Ivan Rosolen Graduado emSistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
- 3.
- 4.
- 5. - Form RequestPost/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
- 6. - Data isstored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
- 7.
- 8. - Stateless authentication(simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
- 9. - Authentication vs.Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
- 10.
- 11. - JWT - JWS -JWA - JWK - JWE JSON Object Signing and Encryption
- 12.
- 13. - JSON WebTokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
- 14.
- 15.
- 16.
- 17. Claims - iss: Theissuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
- 18. Payload / Claims { "iss":"ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
- 19.
- 20. JWS - header - claims payload base64(header). base64(claims)
- 21. JWA - secret (hmacsha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
- 22. Signature var encodedString =base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
- 23.
- 24.
- 25.
- 28.
- 29.
- 30.
- 31. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio CobucciOblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
- 32.
- 33.