Jonathan LeBlanc, profile picture
Uploaded byJonathan LeBlanc
3,898 views

Modern API Security with JSON Web Tokens

The document provides a comprehensive guide on modern API security using JSON Web Tokens (JWT), detailing their benefits over traditional authentication systems and the structure of JWT including its header, payload, and signature. It explains the differences between symmetric and asymmetric algorithms, and offers practical examples of generating, signing, and verifying JWTs. Additionally, it discusses preventing replay attacks and the integration of JWT with OAuth 2.0 for authentication and authorization purposes.

Technology
In this document
Powered by AI

Introduction and specifications of JSON Web Tokens (JWT). Presenter: Jonathan LeBlanc. Link to RFC 7519.

Benefits of JWT include stateless architecture, small footprint, and cross-language compatibility.

Comparison between traditional authentication systems and token-based systems.

Issues with traditional authentication include session storage, scalability concerns, CORS issues, and CSRF attacks.

Description of user login and token generation in token-based authentication systems.

Explanation of how JWTs work, including header, payload, signature, and sample JWT structure.

Details of a JWT header, including algorithms used and example of JWT header structure.

Comparison of HMAC SHA256 (symmetric key) and RSA SHA256 (asymmetric key) hashing algorithms.

Types of JWT claims: reserved, public, and private with examples of payload data.

Process of creating the JWT signature including encoding methods and secret key utilization.

Steps to generate public and private keys necessary for signing JWTs.

Asynchronous signing of JWTs with a private key using the jsonwebtoken library.

Process of verifying a signed JWT using a public key.

Important practices to secure JWTs including signature verification and key security.

Recommendations to prevent replay attacks in JWTs through claims.

Reference to the JWE specification with a link to RFC 7516.

Integration of JWTs with OAuth 2 and its benefits based on existing trust relationships.

Historical context of OAuth, OpenID and their relationships with authentication.

Overview of the JWT profile specific to OAuth 2.0 client authentication.

Comparison between JWT as an authentication protocol and OAuth as an authorization framework.

General flow of the OAuth 2 process from user sign-in to token exchange.

OAuth 2 access token request examples showcasing JWT assertion.

Key claims to validate in a JWT including required and optional claims, and signature verification.

Links to specifications and resources for JWT, JWE, and OAuth.

Acknowledgment of the audience and presenter contact details.

Embed presentation

Downloaded 223 times
Modern API Security with! JSON Web Tokens! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
JSON Web Token (JWT) Specification! ! https://tools.ietf.org/html/rfc7519!
JWT Benefits! ! They’re self contained and help maintain a stateless architecture.! ! They maintain a small footprint and can be passed along easily. ! ! They work well across multiple programming languages.!
Traditional vs Token-Based Authentication Systems!
User logs in, server checks creds Session stored in sever, cookie created Send session data to access endpoints Traditional Authentication Systems
Issues with traditional systems! •  Sessions: Record needs to be stored on server ! •  Scalability: With sessions in memory, load increases drastically in a distributed system.! •  CORS: When using multiple devices grabbing data via AJAX requests, we may run into forbidden requests.! •  CSRF Attacks: Riding session data to send commands to server from a browser that is trusted via session.!
User logs in, server checks creds Token generated, store in localStorage Provide token in headers for all reqs Token-Based Authentication Systems
How JSON Web Tokens Work!
•  Header: Token type and hashing algorithm! •  Payload: User / verification content! •  Signature: Header, payload, and secret!
XXXXXXXX.YYYYYYYY.ZZZZZZZZ! What a Signed Token will Look Like!
Authorization: Bearer <token>! Transmission of a JWT via HTTP Headers!
JWT Header! ! alg: The hashing algorithm to be used.! ! typ: The token type. Should be JWT.!
var header_data = {! alg: 'RSA', ! typ: 'JWT' ! };! Example JWT Header!
Difference between HMAC SHA256 and RSA SHA256 hashing algorithms! ! HMAC SHA256: Symmetric key cryptography, single shared private key. Faster, good between trusted parties.! ! RSA SHA256: Asymmetric key cryptography, public / private keys. Slower, good between untrusted parties.!
JWT Payload (Claims)! ! Reserved: Predefined, recommended, interoperable terms. ! ! Public: Customs claims that may be set at will.! ! Private: Agreed upon claims between two parties.!
Reserved Claims! ! iss (issuer): The person that issued the token.! sub (subject) : The subject of the token.! aud (audience) : Audience the token is intended for.! exp (expiration time) : Expiration time of the token.! nbf (not before) : Starting time token is available.! iat (issued at) : When the token was issued.! jti (JWT ID) : Unique identifier for the token. ! !
var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112',! role: 'admin'! };! Example JWT Payload!
JWT Signature! ! Encoded Data: Base64 encoded header + payload! ! Secret: A private key.!
var header = {! alg: 'RSA', ! typ: 'JWT' ! };! ! var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112’! };! ! HMACSHA256(! base64UrlEncode(header) + "." +! base64UrlEncode(payload),! secret)! Creating a JWT signature!
// generate private key! openssl genrsa -out private.pem 2048! ! // generate public key! openssl rsa -in private.pem -outform PEM -pubout -out public.pem! Creating new public / private keys (minus password for testing)!
var fs = require('fs'), ! ursa = require('ursa');! ! // set up public / private keys! var key = ursa.generatePrivateKey(), ! privatepem = key.toPrivatePem(),! publicpem = key.toPublicPem();! ! // store keys in .pem files ! try {! fs.writeFileSync('private.pem', privatepem, 'ascii');! fs.writeFileSync('public.pem', publicpem, 'ascii');! } catch (err) {! console.error(err);! }! Writing new public / private keys to the file system!
var jwt = require('jsonwebtoken'),! fs = require('fs');! ! // get private key! var cert = fs.readFileSync('private.pem');! ! // sign asynchronously with RSA SHA256 ! jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {! console.log(token);! });! Signing JSON Web Tokens !
eyJhbGciOiJSU0EiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiJ0b21Ac3Rvcm1wYXRoLmNvbSIsIm5hb WUiOiJUb20gQWJib3R0Iiwicm9sZSI6InVzZXIifQ.Yjc3YzdkZmQ4OTM1ZjA4MDM0OTdhOTkyMz ZhM2ZiZjZjNzVkZjIzOWJmMGM5YmU4MWZiYjY1MmY1YjRkNWY1ZA! Signed Token!
var jwt = require('jsonwebtoken'),! fs = require('fs');! ! //get public key ! cert = fs.readFileSync('public.pem'); ! ! // verify asynchronously with RSA SHA256! jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {! console.log(payload);! });! Verifying JSON Web Tokens!
Securing JWTs!
Securing JWTs! ! •  Verify signature before trusting data in the JWT.! •  Secure the secret key used for signing. Keys should only be accessible by the issuer and consumer.! •  Do not add sensitive data to the JWT. They are signed to protect against manipulation, not encrypted.!
Preventing Replay Attacks! ! To prevent replay attacks, include the following claims to the JWT payload:! ! •  jti (JWT ID): Random or pseudo-random nonce.! •  exp (expiration): Time the token expires.! •  iat (issued at): Time the token was issued. !
JSON Web Encryption (JWE) Specification! ! https://tools.ietf.org/html/rfc7516 !
Mixing JWTs with OAuth 2!
Benefits of the Specification! ! Existing Trust Relationships: If a site has an existing user relationship, that may be used.!
A Bit of History! ! OAuth, OpenID, authorization and authentication!
JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants! ! https://tools.ietf.org/pdf/rfc7523.pdf!
"JWT vs OAuth" is a comparison of apples and apple carts! ! JWT: Authentication protocol! OAuth: Distributed authorization framework !
User is forwarded to sign in, grant permissions Code is provided back in URI Request to exchange code for token How the OAuth 2 Process Generally Works Access Token is provided back
POST /token.oauth2 HTTP/1.1! Host: service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer! &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.! eyJpc3Mi[...omitted for brevity...].! J9l-ZhwP[...omitted for brevity...]! Authorization Example OAuth 2 access token request with JWT!
POST /token.oauth2 HTTP/1.1! Host: service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&! code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&! client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt- bearer! client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.! eyJpc3Mi[...omitted for brevity...].! cC4hiUPo[...omitted for brevity...]! Authentication Example OAuth 2 access token request with JWT!
Validating the JWT! ! •  iss (required): Unique issuer identity claim.! •  sub (required): Identity the token subject! •  Authorization: ID of a valid delegate. ! •  Authentication: The OAuth 2 client ID.! •  aud (required): Identity of the authorization server, such as the URI endpoint. !
Validating the JWT! ! •  exp (required): Expiration to limit the time that the JWT can be used.! •  nbf (optional): Time before which token must not be accepted.! •  jti (optional): Uniquely identifies the token.! •  other claims (optional): Any other claims may be present.!
Validating the JWT! ! •  Digitally signed / Message Authentication Code: A valid signature / MAC must be present.! •  Valid JWT: Must conform to the makeup of a JWT.!
Links and More Information! •  Specifications: ! •  JWT: https://tools.ietf.org/html/rfc7519! •  JWT / OAuth2: https://tools.ietf.org/html/rfc7523! •  JSON Web Encryption: https://tools.ietf.org/html/ rfc7516! •  JWT Website: https://jwt.io/! •  jsonwebtoken NPM module: https://www.npmjs.com/package/ jsonwebtoken!
Thank You!! Slides: slideshare.net/jcleblanc! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!

More Related Content

PPTX
Json Web Token - JWT
byPrashant Walke
 
PDF
Using JSON Web Tokens for REST Authentication
byMediacurrent
 
PPTX
OAuth 2
byChrisWood262
 
PPTX
Pentesting jwt
byJaya Kumar Kondapalli
 
PDF
Introduction to JWT and How to integrate with Spring Security
byBruno Henrique Rother
 
PDF
Jwt Security
bySeid Yassin
 
PPTX
Understanding JWT Exploitation
byAkshaeyBhosale
 
PDF
[OPD 2019] Attacking JWT tokens
byOWASP
 
Json Web Token - JWT
byPrashant Walke
 
Using JSON Web Tokens for REST Authentication
byMediacurrent
 
OAuth 2
byChrisWood262
 
Pentesting jwt
byJaya Kumar Kondapalli
 
Introduction to JWT and How to integrate with Spring Security
byBruno Henrique Rother
 
Jwt Security
bySeid Yassin
 
Understanding JWT Exploitation
byAkshaeyBhosale
 
[OPD 2019] Attacking JWT tokens
byOWASP
 

What's hot

PPTX
Rest API Security
byStormpath
 
PDF
JSON Web Tokens
byIvan Rosolen
 
PDF
Json web token
byMayank Patel
 
PDF
Implementing OAuth
byleahculver
 
PDF
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
PDF
OAuth 2.0
byUwe Friedrichsen
 
PDF
OAuth 2.0 and OpenID Connect
byJacob Combs
 
PPTX
OpenID Connect: An Overview
byPat Patterson
 
PPTX
An Introduction to OAuth2
byAaron Parecki
 
PPTX
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
PPTX
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
ODP
Introduction to Swagger
byKnoldus Inc.
 
PDF
Swagger
byNexThoughts Technologies
 
PPT
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
PPTX
OpenId Connect Protocol
byMichael Furman
 
PPTX
What is Swagger?
byPhilip Senger
 
PDF
Http security response headers
bymohammadhosseinrouha
 
PDF
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
PDF
OpenID Connect Explained
byVladimir Dzhuvinov
 
PDF
HTTP Security Headers
byIsmael Goncalves
 
Rest API Security
byStormpath
 
JSON Web Tokens
byIvan Rosolen
 
Json web token
byMayank Patel
 
Implementing OAuth
byleahculver
 
OAuth & OpenID Connect Deep Dive
byNordic APIs
 
OAuth 2.0
byUwe Friedrichsen
 
OAuth 2.0 and OpenID Connect
byJacob Combs
 
OpenID Connect: An Overview
byPat Patterson
 
An Introduction to OAuth2
byAaron Parecki
 
Rest API Security - A quick understanding of Rest API Security
byMohammed Fazuluddin
 
Intro to OAuth2 and OpenID Connect
byLiamWadman
 
Introduction to Swagger
byKnoldus Inc.
 
Swagger
byNexThoughts Technologies
 
OAuth 2.0 and OpenId Connect
bySaran Doraiswamy
 
OpenId Connect Protocol
byMichael Furman
 
What is Swagger?
byPhilip Senger
 
Http security response headers
bymohammadhosseinrouha
 
AEM hacker - approaching Adobe Experience Manager webapps in bug bounty programs
byMikhail Egorov
 
OpenID Connect Explained
byVladimir Dzhuvinov
 
HTTP Security Headers
byIsmael Goncalves
 

Similar to Modern API Security with JSON Web Tokens

PPTX
3783daf0-8a4d-45ad-a2f3-2a787053f90e.pptx
byNicoleFalcao1
 
PDF
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
byiMasters
 
PDF
JSON WEB TOKEN
byKnoldus Inc.
 
PDF
Autenticação com Json Web Token (JWT)
byIvan Rosolen
 
PDF
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
byLuciano Mammino
 
PPTX
JWT_Presentation to show how jwt is better then session based authorization
bynathakash343
 
PDF
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
byLuciano Mammino
 
PPTX
Json web tokens
byElieHannouch
 
PDF
The Hacker's Guide to JWT Security
byPatrycja Wegrzynowicz
 
PDF
Jwt with flask slide deck - alan swenson
byJeffrey Clark
 
PDF
Jwt
byFrank Linehan
 
PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
PDF
Json web token api authorization
byGiulio De Donato
 
PDF
The Hacker's Guide to JWT Security
byPatrycja Wegrzynowicz
 
PPTX
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
bynagarajapallafl
 
PDF
apidays LIVE Australia 2020 - WT* is JWT? by Maciej Treder
byapidays
 
PDF
apidays LIVE New York - WT* is JWT? by Maciej Treder
byapidays
 
PDF
apidays LIVE LONDON - WT* is JWT? by Maciej Treder
byapidays
 
PDF
apidays LIVE Hong Kong - WT* is JWT? by Maciej Treder
byapidays
 
PDF
apidays LIVE Paris - WT* is JWT? by Maciej Treder
byapidays
 
3783daf0-8a4d-45ad-a2f3-2a787053f90e.pptx
byNicoleFalcao1
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
byiMasters
 
JSON WEB TOKEN
byKnoldus Inc.
 
Autenticação com Json Web Token (JWT)
byIvan Rosolen
 
Cracking JWT tokens: a tale of magic, Node.JS and parallel computing - Node.j...
byLuciano Mammino
 
JWT_Presentation to show how jwt is better then session based authorization
bynathakash343
 
Cracking JWT tokens: a tale of magic, Node.js and parallel computing - Code E...
byLuciano Mammino
 
Json web tokens
byElieHannouch
 
The Hacker's Guide to JWT Security
byPatrycja Wegrzynowicz
 
Jwt with flask slide deck - alan swenson
byJeffrey Clark
 
Jwt
byFrank Linehan
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
Json web token api authorization
byGiulio De Donato
 
The Hacker's Guide to JWT Security
byPatrycja Wegrzynowicz
 
JsonWebTokens ppt - explains JWT, JWS , JWE Tokens
bynagarajapallafl
 
apidays LIVE Australia 2020 - WT* is JWT? by Maciej Treder
byapidays
 
apidays LIVE New York - WT* is JWT? by Maciej Treder
byapidays
 
apidays LIVE LONDON - WT* is JWT? by Maciej Treder
byapidays
 
apidays LIVE Hong Kong - WT* is JWT? by Maciej Treder
byapidays
 
apidays LIVE Paris - WT* is JWT? by Maciej Treder
byapidays
 

More from Jonathan LeBlanc

PDF
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
PDF
Improving Developer Onboarding Through Intelligent Data Insights
byJonathan LeBlanc
 
PDF
Better Data with Machine Learning and Serverless
byJonathan LeBlanc
 
PPTX
Best Practices for Application Development with Box
byJonathan LeBlanc
 
PPTX
Box Platform Overview
byJonathan LeBlanc
 
PPTX
Box Platform Developer Workshop
byJonathan LeBlanc
 
PPTX
Modern Cloud Data Security Practices
byJonathan LeBlanc
 
PPTX
Box Authentication Types
byJonathan LeBlanc
 
PPTX
Understanding Box UI Elements
byJonathan LeBlanc
 
PPTX
Understanding Box applications, tokens, and scoping
byJonathan LeBlanc
 
PPTX
The Future of Online Money: Creating Secure Payments Globally
byJonathan LeBlanc
 
PPTX
Creating an In-Aisle Purchasing System from Scratch
byJonathan LeBlanc
 
PDF
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
PDF
Node.js Authentication and Data Security
byJonathan LeBlanc
 
PDF
PHP Identity and Data Security
byJonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
PDF
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
PPTX
Future of Identity, Data, and Wearable Security
byJonathan LeBlanc
 
PDF
Kill All Passwords
byJonathan LeBlanc
 
JavaScript App Security: Auth and Identity on the Client
byJonathan LeBlanc
 
Improving Developer Onboarding Through Intelligent Data Insights
byJonathan LeBlanc
 
Better Data with Machine Learning and Serverless
byJonathan LeBlanc
 
Best Practices for Application Development with Box
byJonathan LeBlanc
 
Box Platform Overview
byJonathan LeBlanc
 
Box Platform Developer Workshop
byJonathan LeBlanc
 
Modern Cloud Data Security Practices
byJonathan LeBlanc
 
Box Authentication Types
byJonathan LeBlanc
 
Understanding Box UI Elements
byJonathan LeBlanc
 
Understanding Box applications, tokens, and scoping
byJonathan LeBlanc
 
The Future of Online Money: Creating Secure Payments Globally
byJonathan LeBlanc
 
Creating an In-Aisle Purchasing System from Scratch
byJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
Node.js Authentication and Data Security
byJonathan LeBlanc
 
PHP Identity and Data Security
byJonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
byJonathan LeBlanc
 
Protecting the Future of Mobile Payments
byJonathan LeBlanc
 
Future of Identity, Data, and Wearable Security
byJonathan LeBlanc
 
Kill All Passwords
byJonathan LeBlanc
 

Recently uploaded

PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PPTX
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
PDF
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
PDF
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
PDF
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
PDF
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PDF
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
PDF
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PDF
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
Guardrails in Action - Ensuring Safe AI with Azure AI Content Safety.pptx
byUdaiappa Ramachandran
 
Supervised Machine Learning Approaches for Log-Based Anomaly Detection: A Cas...
byMohammed BEKKOUCHE
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...
byWintari Yasmin
 
DUBAI IT MODERNIZATION WITH AZURE MANAGED SERVICES.pdf
byLogicEra
 
[BDD 2025 - Mobile Development] Crafting Immersive UI with E2E and AGSL Shade...
byWintari Yasmin
 
[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...
byWintari Yasmin
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Integrating AI with Meaningful Human Collaboration
byCadabra Studio
 
The Evolving Role of the CEO in the Age of AI
byPipal Tree Services Executive Search Firm
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
Transforming Content Operations in the Age of AI
byEnterprise Knowledge
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Dev Dives: Build smarter agents with UiPath Agent Builder
byUiPathCommunity
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
How Much Does It Cost to Build an eCommerce Website in 2025.pdf
byPixlogix Infotech
 

Modern API Security with JSON Web Tokens

  • 1.
    Modern API Securitywith! JSON Web Tokens! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
  • 2.
    JSON Web Token(JWT) Specification! ! https://tools.ietf.org/html/rfc7519!
  • 3.
    JWT Benefits! ! They’re selfcontained and help maintain a stateless architecture.! ! They maintain a small footprint and can be passed along easily. ! ! They work well across multiple programming languages.!
  • 4.
  • 5.
    User logs in,server checks creds Session stored in sever, cookie created Send session data to access endpoints Traditional Authentication Systems
  • 6.
    Issues with traditionalsystems! •  Sessions: Record needs to be stored on server ! •  Scalability: With sessions in memory, load increases drastically in a distributed system.! •  CORS: When using multiple devices grabbing data via AJAX requests, we may run into forbidden requests.! •  CSRF Attacks: Riding session data to send commands to server from a browser that is trusted via session.!
  • 7.
    User logs in,server checks creds Token generated, store in localStorage Provide token in headers for all reqs Token-Based Authentication Systems
  • 8.
    How JSON WebTokens Work!
  • 9.
    •  Header: Tokentype and hashing algorithm! •  Payload: User / verification content! •  Signature: Header, payload, and secret!
  • 10.
  • 11.
  • 12.
    JWT Header! ! alg: Thehashing algorithm to be used.! ! typ: The token type. Should be JWT.!
  • 13.
    var header_data ={! alg: 'RSA', ! typ: 'JWT' ! };! Example JWT Header!
  • 14.
    Difference between HMACSHA256 and RSA SHA256 hashing algorithms! ! HMAC SHA256: Symmetric key cryptography, single shared private key. Faster, good between trusted parties.! ! RSA SHA256: Asymmetric key cryptography, public / private keys. Slower, good between untrusted parties.!
  • 15.
    JWT Payload (Claims)! ! Reserved:Predefined, recommended, interoperable terms. ! ! Public: Customs claims that may be set at will.! ! Private: Agreed upon claims between two parties.!
  • 16.
    Reserved Claims! ! iss (issuer):The person that issued the token.! sub (subject) : The subject of the token.! aud (audience) : Audience the token is intended for.! exp (expiration time) : Expiration time of the token.! nbf (not before) : Starting time token is available.! iat (issued at) : When the token was issued.! jti (JWT ID) : Unique identifier for the token. ! !
  • 17.
    var payload ={! sub: '4355676',! exp: '1481160294',! jti: '841112',! role: 'admin'! };! Example JWT Payload!
  • 18.
    JWT Signature! ! Encoded Data:Base64 encoded header + payload! ! Secret: A private key.!
  • 19.
    var header ={! alg: 'RSA', ! typ: 'JWT' ! };! ! var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112’! };! ! HMACSHA256(! base64UrlEncode(header) + "." +! base64UrlEncode(payload),! secret)! Creating a JWT signature!
  • 20.
    // generate privatekey! openssl genrsa -out private.pem 2048! ! // generate public key! openssl rsa -in private.pem -outform PEM -pubout -out public.pem! Creating new public / private keys (minus password for testing)!
  • 21.
    var fs =require('fs'), ! ursa = require('ursa');! ! // set up public / private keys! var key = ursa.generatePrivateKey(), ! privatepem = key.toPrivatePem(),! publicpem = key.toPublicPem();! ! // store keys in .pem files ! try {! fs.writeFileSync('private.pem', privatepem, 'ascii');! fs.writeFileSync('public.pem', publicpem, 'ascii');! } catch (err) {! console.error(err);! }! Writing new public / private keys to the file system!
  • 22.
    var jwt =require('jsonwebtoken'),! fs = require('fs');! ! // get private key! var cert = fs.readFileSync('private.pem');! ! // sign asynchronously with RSA SHA256 ! jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {! console.log(token);! });! Signing JSON Web Tokens !
  • 23.
  • 24.
    var jwt =require('jsonwebtoken'),! fs = require('fs');! ! //get public key ! cert = fs.readFileSync('public.pem'); ! ! // verify asynchronously with RSA SHA256! jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {! console.log(payload);! });! Verifying JSON Web Tokens!
  • 25.
  • 26.
    Securing JWTs! ! •  Verifysignature before trusting data in the JWT.! •  Secure the secret key used for signing. Keys should only be accessible by the issuer and consumer.! •  Do not add sensitive data to the JWT. They are signed to protect against manipulation, not encrypted.!
  • 27.
    Preventing Replay Attacks! ! Toprevent replay attacks, include the following claims to the JWT payload:! ! •  jti (JWT ID): Random or pseudo-random nonce.! •  exp (expiration): Time the token expires.! •  iat (issued at): Time the token was issued. !
  • 28.
    JSON Web Encryption(JWE) Specification! ! https://tools.ietf.org/html/rfc7516 !
  • 29.
  • 30.
    Benefits of theSpecification! ! Existing Trust Relationships: If a site has an existing user relationship, that may be used.!
  • 31.
    A Bit ofHistory! ! OAuth, OpenID, authorization and authentication!
  • 32.
    JSON Web Token(JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants! ! https://tools.ietf.org/pdf/rfc7523.pdf!
  • 33.
    "JWT vs OAuth"is a comparison of apples and apple carts! ! JWT: Authentication protocol! OAuth: Distributed authorization framework !
  • 34.
    User is forwardedto sign in, grant permissions Code is provided back in URI Request to exchange code for token How the OAuth 2 Process Generally Works Access Token is provided back
  • 35.
    POST /token.oauth2 HTTP/1.1! Host:service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer! &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.! eyJpc3Mi[...omitted for brevity...].! J9l-ZhwP[...omitted for brevity...]! Authorization Example OAuth 2 access token request with JWT!
  • 36.
    POST /token.oauth2 HTTP/1.1! Host:service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&! code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&! client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt- bearer! client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.! eyJpc3Mi[...omitted for brevity...].! cC4hiUPo[...omitted for brevity...]! Authentication Example OAuth 2 access token request with JWT!
  • 37.
    Validating the JWT! ! • iss (required): Unique issuer identity claim.! •  sub (required): Identity the token subject! •  Authorization: ID of a valid delegate. ! •  Authentication: The OAuth 2 client ID.! •  aud (required): Identity of the authorization server, such as the URI endpoint. !
  • 38.
    Validating the JWT! ! • exp (required): Expiration to limit the time that the JWT can be used.! •  nbf (optional): Time before which token must not be accepted.! •  jti (optional): Uniquely identifies the token.! •  other claims (optional): Any other claims may be present.!
  • 39.
    Validating the JWT! ! • Digitally signed / Message Authentication Code: A valid signature / MAC must be present.! •  Valid JWT: Must conform to the makeup of a JWT.!
  • 40.
    Links and MoreInformation! •  Specifications: ! •  JWT: https://tools.ietf.org/html/rfc7519! •  JWT / OAuth2: https://tools.ietf.org/html/rfc7523! •  JSON Web Encryption: https://tools.ietf.org/html/ rfc7516! •  JWT Website: https://jwt.io/! •  jsonwebtoken NPM module: https://www.npmjs.com/package/ jsonwebtoken!
  • 41.
    Thank You!! Slides: slideshare.net/jcleblanc! JonathanLeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!