Download as PDF, PPTX
Uploaded byMediacurrent
Using JSON Web Tokens for REST Authentication
The document provides an overview of JSON Web Tokens (JWTs) for REST authentication, detailing their structure and how they facilitate stateless communication in decoupled architectures. It compares JWTs with other authentication methods, highlighting their advantages such as scalability and being digitally signed, as well as drawbacks like token size and revocation challenges. The content also discusses the implementation of JWTs in Drupal, including relevant modules and their functionality.
More Related Content
![[OPD 2019] Attacking JWT tokens](https://cdn.slidesharecdn.com/ss_thumbnails/attackingjwttokens-191021171156-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Using JSON Web Tokens for REST Authentication
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Using JSON Web Tokens for REST Authentication
- 1. By: Edward Chan UsingJSON Web Tokens for REST Authentication
- 2. Introduction Edward Chan @edwardchiapet linkedin.com/in/edwardchan1350 drupal.org/u/edwardchiapet Edward isan NYC-based Drupal Developer at Mediacurrent. He started working with Drupal in 2012 and has experience building Drupal sites in D6/7/8. He just recently became interested in decoupled architecture and has experience building and using Drupal as a backend service. He maintains the Quill and Autocomplete Deluxe modules. Drupal Developer 2 github.com/edwardchan
- 3. About 3 Mediacurrent helps organizationsbuild highly impactful, elegantly designed Drupal websites that achieve the strategic results they need. ● Single-source provider ● Specializing in Drupal since 2007 ● Headquartered in Atlanta, GA ● Team of 70+ Drupal Experts including development, design and strategy ● Clients include: Large Enterprise and high-profile global brands
- 4. Style Guide Agenda Introduction toJSON Web Tokens (JWT) Authenticating REST in Drupal Comparing JWTs with other methods4 3 2 1 4 How It Works
- 5. JSON Web Tokensin Decoupled Architecture 5 ● Separation of concerns ● True statelessness ● Flexibility Introduction to JSON Web Tokens (JWT)
- 6. Introduction to JSONWeb Tokens (JWT)1
- 7. What is JSONWeb Token (JWT)? 7 “JSON Web Tokens are an open, industry standard RFC 7519 method that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA...” - https://jwt.io/introduction Introduction to JSON Web Tokens (JWT)
- 8. What is JSONWeb Token (JWT)? 8 ● Simply a string in the format of header.payload.signature ● A means of representing claims to be transferred between two parties. ● Intended for space-constrained environments such as HTTP Authorization headers and URI query parameters. ● Digitally-signed - information is verified and trusted. Introduction to JSON Web Tokens (JWT)
- 9. What is JSONWeb Token (JWT)? 9 ● A JWT is a type of either JSON Web Signature (JWS) or JSON Web Encryption (JWE). ● The “claims” in a JWT are encoded as a JSON object that it is digitally-signed using JWS and/or encrypted using JWE. ● JWS is used in most cases. ● The suggested/formal pronunciation of JWT is “jot”. Introduction to JSON Web Tokens (JWT)
- 10. JSON Web TokenStructure 10 Introduction to JSON Web Tokens (JWT)
- 11. JSON Web TokenStructure 11 Introduction to JSON Web Tokens (JWT) Header . Payload . Signature
- 12. JSON Web TokenStructure - Header 12 Introduction to JSON Web Tokens (JWT) ● Contains information about how the JWT should be computed. ● Typically contains: ○ “typ” - type of the token (“JWT”) ○ “alg” - signing hashing algorithm being used to sign or encrypt the JWT - such as HMAC SHA256 or RSA ● Example:
- 13. JSON Web TokenStructure - Payload 13 Introduction to JSON Web Tokens (JWT) ● Contains the “claims set”, which is information we want to transmit and other information about the token. ● Types of claims: ○ Reserved - predefined claims that are recommended. ○ Public - claims that we create ourselves ○ Private - custom claims that are usually more specific to the application you’re connecting to ● A list of predefined claims can be found in the IANA JSON Web Token Registry (https://www.iana.org/assignments/jwt/jwt.xhtml).
- 14. JSON Web TokenStructure - Payload 14 Introduction to JSON Web Tokens (JWT) exp Expiration time iss Token issuer iat Time the JWT was issued nbf Not before Some reserved claim names:
- 15. JSON Web TokenStructure - Signature 15 Introduction to JSON Web Tokens (JWT) ● Used to verify that the sender of the JWT is legitimate and to ensure that the message was not changed or altered along the way. ● Value is generated by hashing the following using the signing algorithm specified in the “header”: ○ base64UrlEncode(header) + “.” + base64UrlEncode(payload) ○ a “secret” (held by the server and will be used to verify existing tokens and sign new ones)
- 16. JSON Web TokenStructure - Signature 16 Introduction to JSON Web Tokens (JWT) Example of generating the signature using HMAC SHA256: var encodedHeader = base64UrlEncode(header); var encodedPayload = base64UrlEncode(payload); var signature = base64UrlEncode(HMACSHA256(encodedHeader + “.” + encodedPayload, secret));
- 17. JSON Web Signature(JWS) Compact Serialization 17 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
- 18. JSON Web Signature(JWS) Compact Serialization 18 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott (encoded header) (encoded payload)
- 19. JSON Web Signature(JWS) Compact Serialization 19 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
- 20. JSON Web Signature(JWS) Compact Serialization 20 Introduction to JSON Web Tokens (JWT) Image source: “JWT” Handbook by Sebastián Peyrott
- 21.
- 22.
- 23.
- 24. 24 Authentication Process How ItWorks Bouncer with a guest list (server and a database)
- 25. 25 Authentication Process How ItWorks Yourself and your ID (username and password)
- 26. 26 Authentication Process How ItWorks Identity verified! (login credentials valid)
- 27. 27 Authentication Process How ItWorks Wristband (JWT)
- 28.
- 29. 29 Authentication Process How ItWorks Bar (Resource server)
- 30. 30 Authentication Process How ItWorks Consume API Resources
- 31. 31 Authentication Process How ItWorks JWT expires (“exp”)
- 32. 32 Authentication Process Image source:https://jwt.io/introduction/ How It Works
- 33. 33 Authentication Process How ItWorks Image source: https://jwt.io/introduction/
- 34. How does JWTprotect our data? 34 Introduction to JSON Web Tokens (JWT) ● Used to verify the authenticity of the source that sent the data. ● Short expiry times. ● Retrieving a new JWT requires a valid refresh token. ● A signed JWT does not hide or obscure data in any way
- 35. Using JWTs toAuthenticate REST in Drupal3
- 36. “JSON Web TokenAuthentication (JWT)” module 36 Using JWTs to Authenticate REST in Drupal ● https://www.drupal.org/project/jwt ● Depends on the “Key” module to manage secret keys. ● “JWT Authentication Issuer” - provides an endpoint to issue JWTs. ● “JWT Authentication Consumer” - authenticates JWTs generated by “JWT Authentication Issuer”. ● Provides 3 events for event subscribers: ○ VALIDATE Allows for custom validations for a JWT. ○ VALID Fires after a token has been validated. Subscribers can create new users based on the payload, if necessary. ○ GENERATE Fires before a new JWT is encoded. Subscribers can add claims to the JWT before it is given to the client.
- 37. “JSON Web TokenAuthentication (JWT)” module 37 Using JWTs to Authenticate REST in Drupal https://www.mediacurrent.com/blog/using-json-web-tokens-jwt-authenticate-endpoints
- 38. JWT Debugger 38 Using JWTsto Authenticate REST in Drupal ● Allows you to see the content of a JWT - including the claims in the payload. ● You can verify the validity of the token with a secret. ● Chrome extension!
- 39. Comparing JWTs withother methods4
- 40. Cookie-based Authentication 40 Comparing JWTswith other methods
- 41. JWT advantages 41 Comparing JWTswith other methods ● Stateless ● Scalability ● Digitally-signed ● Performance ● CORS/CSRF ● Mobile-ready ● Decoupled/Decentralized
- 42. JWT drawbacks 42 Comparing JWTswith other methods ● Size of token ● Tokens Revocation ● Single-Page Applications
- 43.