Autenticação com Json Web Token (JWT)
8 likes2,426 views
Ivan Rosolen is an expert in information systems and project management, with over 15 years of experience in development, focusing on JSON Web Tokens (JWT) for authentication and authorization. The document details aspects of JWT, including its structure, advantages, security considerations, and how it facilitates stateless authentication. It also includes code references, usage examples, and numerous resources for further learning on JWT and related technologies.
Autenticação com Json Web Token (JWT)
- 2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
- 3. @ivanrosolen
- 5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
- 6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
- 7. API
- 8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
- 9. - Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
- 10. JOSE
- 11. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
- 12. Advantages
- 13. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
- 14. Anatomy
- 17. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
- 18. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
- 20. JWS - header - claims payload base64(header) . base64(claims)
- 21. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
- 22. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
- 24. Warning!
- 25. Code
- 28. Github - Session - JWT - JOSE
- 29. DEMO
- 30. Refs
- 31. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
- 32. ????