Using JSON Web Tokens for REST Authentication
43
By: Edward Chan Using JSON Web Tokens for REST Authentication
-
Upload
mediacurrent -
Category
Technology
-
view
203 -
download
0
Transcript of Using JSON Web Tokens for REST Authentication
By: Edward Chan
Using JSON Web Tokens for REST Authentication
Introduction
Edward Chan
@edwardchiapet
linkedin.com/in/edwardchan1350
drupal.org/u/edwardchiapet
Edward is an NYC-based Drupal Developer at Mediacurrent. He started working with Drupal in 2012 and has experience building Drupal sites in D6/7/8. He just recently became interested in decoupled architecture and has experience building and using Drupal as a backend service. He maintains the Quill and Autocomplete Deluxe modules.
Drupal Developer
2
github.com/edwardchan
About
3
Mediacurrent helps organizations build highly impactful, elegantly designed Drupal websites that achieve the strategic results they need.
● Single-source provider● Specializing in Drupal since 2007● Headquartered in Atlanta, GA● Team of 70+ Drupal Experts including
development, design and strategy● Clients include: Large Enterprise and
high-profile global brands
Style Guide
Agenda
Introduction to JSON Web Tokens (JWT)
Authenticating REST in Drupal
Comparing JWTs with other methods4
3
2
1
4
How It Works
JSON Web Tokens in Decoupled Architecture
5
● Separation of concerns● True statelessness● Flexibility
Introduction to JSON Web Tokens (JWT)
Introduction to JSON Web Tokens (JWT)1
What is JSON Web Token (JWT)?
7
“JSON Web Tokens are an open, industry standard RFC 7519 method that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA...”
- https://jwt.io/introduction
Introduction to JSON Web Tokens (JWT)
What is JSON Web Token (JWT)?
8
● Simply a string in the format of header.payload.signature ● A means of representing claims to be transferred between two parties.● Intended for space-constrained environments such as HTTP Authorization
headers and URI query parameters. ● Digitally-signed - information is verified and trusted.
Introduction to JSON Web Tokens (JWT)
What is JSON Web Token (JWT)?
9
● A JWT is a type of either JSON Web Signature (JWS) or JSON Web Encryption (JWE).
● The “claims” in a JWT are encoded as a JSON object that it is digitally-signed using JWS and/or encrypted using JWE.
● JWS is used in most cases.● The suggested/formal pronunciation of JWT is “jot”.
Introduction to JSON Web Tokens (JWT)
JSON Web Token Structure
10
Introduction to JSON Web Tokens (JWT)
JSON Web Token Structure
11
Introduction to JSON Web Tokens (JWT)
Header .Payload .Signature
JSON Web Token Structure - Header
12
Introduction to JSON Web Tokens (JWT)
● Contains information about how the JWT should be computed.● Typically contains:
○ “typ” - type of the token (“JWT”)○ “alg” - signing hashing algorithm being used to sign or encrypt the JWT - such as HMAC SHA256 or RSA
● Example:
JSON Web Token Structure - Payload
13
Introduction to JSON Web Tokens (JWT)
● Contains the “claims set”, which is information we want to transmit and other information about the token.● Types of claims:
○ Reserved - predefined claims that are recommended. ○ Public - claims that we create ourselves○ Private - custom claims that are usually more specific to the application you’re connecting to
● A list of predefined claims can be found in the IANA JSON Web Token Registry (https://www.iana.org/assignments/jwt/jwt.xhtml).
JSON Web Token Structure - Payload
14
Introduction to JSON Web Tokens (JWT)
exp Expiration time
iss Token issuer
iat Time the JWT was issued
nbf Not before
Some reserved claim names:
JSON Web Token Structure - Signature
15
Introduction to JSON Web Tokens (JWT)
● Used to verify that the sender of the JWT is legitimate and to ensure that the message was not changed or altered along the way.
● Value is generated by hashing the following using the signing algorithm specified in the “header”:○ base64UrlEncode(header) + “.” + base64UrlEncode(payload)○ a “secret” (held by the server and will be used to verify existing tokens and
sign new ones)
JSON Web Token Structure - Signature
16
Introduction to JSON Web Tokens (JWT)
Example of generating the signature using HMAC SHA256:
var encodedHeader = base64UrlEncode(header);var encodedPayload = base64UrlEncode(payload);var signature = base64UrlEncode(HMACSHA256(encodedHeader + “.” + encodedPayload, secret));
JSON Web Signature (JWS) Compact Serialization
17
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
(encoded header)
(encoded payload)
JSON Web Signature (JWS) Compact Serialization
18
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
(encoded header)
(encoded payload)
JSON Web Signature (JWS) Compact Serialization
19
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
JSON Web Signature (JWS) Compact Serialization
20
Introduction to JSON Web Tokens (JWT)
Image source: “JWT” Handbook by Sebastián Peyrott
How It Works2
22
Authentication Process
How It Works
23
Authentication Process
How It Works
24
Authentication Process
How It Works
Bouncer with a guest list (server and a database)
25
Authentication Process
How It Works
Yourself and your ID(username and password)
26
Authentication Process
How It Works
Identity verified!(login credentials valid)
27
Authentication Process
How It Works
Wristband (JWT)
28
Authentication Process
How It Works
29
Authentication Process
How It Works
Bar(Resource server)
30
Authentication Process
How It Works
Consume API Resources
31
Authentication Process
How It Works
JWT expires (“exp”)
32
Authentication Process
Image source: https://jwt.io/introduction/
How It Works
33
Authentication Process
How It Works
Image source: https://jwt.io/introduction/
How does JWT protect our data?
34
Introduction to JSON Web Tokens (JWT)
● Used to verify the authenticity of the source that sent the data. ● Short expiry times.● Retrieving a new JWT requires a valid refresh token. ● A signed JWT does not hide or obscure data in any way
Using JWTs to Authenticate REST in Drupal3
“JSON Web Token Authentication (JWT)” module
36
Using JWTs to Authenticate REST in Drupal
● https://www.drupal.org/project/jwt● Depends on the “Key” module to manage secret keys.● “JWT Authentication Issuer” - provides an endpoint to issue JWTs.● “JWT Authentication Consumer” - authenticates JWTs generated by “JWT Authentication Issuer”.● Provides 3 events for event subscribers:
○ VALIDATEAllows for custom validations for a JWT.
○ VALIDFires after a token has been validated. Subscribers can create new users based on the payload, if necessary.
○ GENERATEFires before a new JWT is encoded. Subscribers can add claims to the JWT before it is given to the client.
“JSON Web Token Authentication (JWT)” module
37
Using JWTs to Authenticate REST in Drupal
https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints
JWT Debugger
38
Using JWTs to Authenticate REST in Drupal
● Allows you to see the content of a JWT - including the claims in the payload.
● You can verify the validity of the token with a secret.
● Chrome extension!
Comparing JWTs with other methods4
Cookie-based Authentication
40
Comparing JWTs with other methods
JWT advantages
41
Comparing JWTs with other methods
● Stateless● Scalability● Digitally-signed● Performance● CORS/CSRF● Mobile-ready● Decoupled/Decentralized
JWT drawbacks
42
Comparing JWTs with other methods
● Size of token● Tokens Revocation● Single-Page Applications
@Mediacurrent Mediacurrent.com
Thank you!
slideshare.net/mediacurrent
https://jwt.io/https://www.drupal.org/project/jwt
https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints
