Downloaded 223 times
![var jwt = require('jsonwebtoken'),!
fs = require('fs');!
!
//get public key !
cert = fs.readFileSync('public.pem'); !
!
// verify asynchronously with RSA SHA256!
jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {!
console.log(payload);!
});!
Verifying JSON Web Tokens!](https://image.slidesharecdn.com/2016decconfoojwtoauth-161207204327/75/Modern-API-Security-with-JSON-Web-Tokens-24-2048.jpg)
![POST /token.oauth2 HTTP/1.1!
Host: service.example.com!
Content-Type: application/x-www-form-urlencoded!
!
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer!
&assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.!
eyJpc3Mi[...omitted for brevity...].!
J9l-ZhwP[...omitted for brevity...]!
Authorization Example OAuth 2 access token request with JWT!](https://image.slidesharecdn.com/2016decconfoojwtoauth-161207204327/75/Modern-API-Security-with-JSON-Web-Tokens-35-2048.jpg)
![POST /token.oauth2 HTTP/1.1!
Host: service.example.com!
Content-Type: application/x-www-form-urlencoded!
!
grant_type=authorization_code&!
code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&!
client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-
bearer!
client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.!
eyJpc3Mi[...omitted for brevity...].!
cC4hiUPo[...omitted for brevity...]!
Authentication Example OAuth 2 access token request with JWT!](https://image.slidesharecdn.com/2016decconfoojwtoauth-161207204327/75/Modern-API-Security-with-JSON-Web-Tokens-36-2048.jpg)
Uploaded byJonathan LeBlanc
Modern API Security with JSON Web Tokens
The document provides a comprehensive guide on modern API security using JSON Web Tokens (JWT), detailing their benefits over traditional authentication systems and the structure of JWT including its header, payload, and signature. It explains the differences between symmetric and asymmetric algorithms, and offers practical examples of generating, signing, and verifying JWTs. Additionally, it discusses preventing replay attacks and the integration of JWT with OAuth 2.0 for authentication and authorization purposes.
In this document
Powered by AI
Introduction and specifications of JSON Web Tokens (JWT). Presenter: Jonathan LeBlanc. Link to RFC 7519.
Benefits of JWT include stateless architecture, small footprint, and cross-language compatibility.
Comparison between traditional authentication systems and token-based systems.
Issues with traditional authentication include session storage, scalability concerns, CORS issues, and CSRF attacks.
Description of user login and token generation in token-based authentication systems.
Explanation of how JWTs work, including header, payload, signature, and sample JWT structure.
Details of a JWT header, including algorithms used and example of JWT header structure.
Comparison of HMAC SHA256 (symmetric key) and RSA SHA256 (asymmetric key) hashing algorithms.
Types of JWT claims: reserved, public, and private with examples of payload data.
Process of creating the JWT signature including encoding methods and secret key utilization.
Steps to generate public and private keys necessary for signing JWTs.
Asynchronous signing of JWTs with a private key using the jsonwebtoken library.
Process of verifying a signed JWT using a public key.
Important practices to secure JWTs including signature verification and key security.
Recommendations to prevent replay attacks in JWTs through claims.
Reference to the JWE specification with a link to RFC 7516.
Integration of JWTs with OAuth 2 and its benefits based on existing trust relationships.
Historical context of OAuth, OpenID and their relationships with authentication.
Overview of the JWT profile specific to OAuth 2.0 client authentication.
Comparison between JWT as an authentication protocol and OAuth as an authorization framework.
General flow of the OAuth 2 process from user sign-in to token exchange.
OAuth 2 access token request examples showcasing JWT assertion.
Key claims to validate in a JWT including required and optional claims, and signature verification.
Links to specifications and resources for JWT, JWE, and OAuth.
Acknowledgment of the audience and presenter contact details.
More Related Content
![[OPD 2019] Attacking JWT tokens](https://cdn.slidesharecdn.com/ss_thumbnails/attackingjwttokens-191021171156-thumbnail.jpg?width=640&height=640&fit=bounds)
Similar to Modern API Security with JSON Web Tokens
![PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://cdn.slidesharecdn.com/ss_thumbnails/17h00ivanrosolen-160331183444-thumbnail.jpg?width=640&height=640&fit=bounds)
Modern API Security with JSON Web Tokens
- 1. Modern API Securitywith! JSON Web Tokens! Jonathan LeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!
- 2. JSON Web Token(JWT) Specification! ! https://tools.ietf.org/html/rfc7519!
- 3. JWT Benefits! ! They’re selfcontained and help maintain a stateless architecture.! ! They maintain a small footprint and can be passed along easily. ! ! They work well across multiple programming languages.!
- 4.
- 5. User logs in,server checks creds Session stored in sever, cookie created Send session data to access endpoints Traditional Authentication Systems
- 6. Issues with traditionalsystems! • Sessions: Record needs to be stored on server ! • Scalability: With sessions in memory, load increases drastically in a distributed system.! • CORS: When using multiple devices grabbing data via AJAX requests, we may run into forbidden requests.! • CSRF Attacks: Riding session data to send commands to server from a browser that is trusted via session.!
- 7. User logs in,server checks creds Token generated, store in localStorage Provide token in headers for all reqs Token-Based Authentication Systems
- 8. How JSON WebTokens Work!
- 9. • Header: Tokentype and hashing algorithm! • Payload: User / verification content! • Signature: Header, payload, and secret!
- 10. XXXXXXXX.YYYYYYYY.ZZZZZZZZ! What a SignedToken will Look Like!
- 11. Authorization: Bearer <token>! Transmissionof a JWT via HTTP Headers!
- 12. JWT Header! ! alg: Thehashing algorithm to be used.! ! typ: The token type. Should be JWT.!
- 13. var header_data ={! alg: 'RSA', ! typ: 'JWT' ! };! Example JWT Header!
- 14. Difference between HMACSHA256 and RSA SHA256 hashing algorithms! ! HMAC SHA256: Symmetric key cryptography, single shared private key. Faster, good between trusted parties.! ! RSA SHA256: Asymmetric key cryptography, public / private keys. Slower, good between untrusted parties.!
- 15. JWT Payload (Claims)! ! Reserved:Predefined, recommended, interoperable terms. ! ! Public: Customs claims that may be set at will.! ! Private: Agreed upon claims between two parties.!
- 16. Reserved Claims! ! iss (issuer):The person that issued the token.! sub (subject) : The subject of the token.! aud (audience) : Audience the token is intended for.! exp (expiration time) : Expiration time of the token.! nbf (not before) : Starting time token is available.! iat (issued at) : When the token was issued.! jti (JWT ID) : Unique identifier for the token. ! !
- 17. var payload ={! sub: '4355676',! exp: '1481160294',! jti: '841112',! role: 'admin'! };! Example JWT Payload!
- 18. JWT Signature! ! Encoded Data:Base64 encoded header + payload! ! Secret: A private key.!
- 19. var header ={! alg: 'RSA', ! typ: 'JWT' ! };! ! var payload = {! sub: '4355676',! exp: '1481160294',! jti: '841112’! };! ! HMACSHA256(! base64UrlEncode(header) + "." +! base64UrlEncode(payload),! secret)! Creating a JWT signature!
- 20. // generate privatekey! openssl genrsa -out private.pem 2048! ! // generate public key! openssl rsa -in private.pem -outform PEM -pubout -out public.pem! Creating new public / private keys (minus password for testing)!
- 21. var fs =require('fs'), ! ursa = require('ursa');! ! // set up public / private keys! var key = ursa.generatePrivateKey(), ! privatepem = key.toPrivatePem(),! publicpem = key.toPublicPem();! ! // store keys in .pem files ! try {! fs.writeFileSync('private.pem', privatepem, 'ascii');! fs.writeFileSync('public.pem', publicpem, 'ascii');! } catch (err) {! console.error(err);! }! Writing new public / private keys to the file system!
- 22. var jwt =require('jsonwebtoken'),! fs = require('fs');! ! // get private key! var cert = fs.readFileSync('private.pem');! ! // sign asynchronously with RSA SHA256 ! jwt.sign({ foo: 'bar' }, cert, { algorithm: 'RS256' }, function(err, token) {! console.log(token);! });! Signing JSON Web Tokens !
- 23.
- 24. var jwt =require('jsonwebtoken'),! fs = require('fs');! ! //get public key ! cert = fs.readFileSync('public.pem'); ! ! // verify asynchronously with RSA SHA256! jwt.verify(token, cert, { algorithms: ['RS256'] }, function (err, payload) {! console.log(payload);! });! Verifying JSON Web Tokens!
- 25.
- 26. Securing JWTs! ! • Verifysignature before trusting data in the JWT.! • Secure the secret key used for signing. Keys should only be accessible by the issuer and consumer.! • Do not add sensitive data to the JWT. They are signed to protect against manipulation, not encrypted.!
- 27. Preventing Replay Attacks! ! Toprevent replay attacks, include the following claims to the JWT payload:! ! • jti (JWT ID): Random or pseudo-random nonce.! • exp (expiration): Time the token expires.! • iat (issued at): Time the token was issued. !
- 28. JSON Web Encryption(JWE) Specification! ! https://tools.ietf.org/html/rfc7516 !
- 29. Mixing JWTs withOAuth 2!
- 30. Benefits of theSpecification! ! Existing Trust Relationships: If a site has an existing user relationship, that may be used.!
- 31. A Bit ofHistory! ! OAuth, OpenID, authorization and authentication!
- 32. JSON Web Token(JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants! ! https://tools.ietf.org/pdf/rfc7523.pdf!
- 33. "JWT vs OAuth"is a comparison of apples and apple carts! ! JWT: Authentication protocol! OAuth: Distributed authorization framework !
- 34. User is forwardedto sign in, grant permissions Code is provided back in URI Request to exchange code for token How the OAuth 2 Process Generally Works Access Token is provided back
- 35. POST /token.oauth2 HTTP/1.1! Host:service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer! &assertion=eyJhbGciOiJFUzI1NiIsImtpZCI6IjE2In0.! eyJpc3Mi[...omitted for brevity...].! J9l-ZhwP[...omitted for brevity...]! Authorization Example OAuth 2 access token request with JWT!
- 36. POST /token.oauth2 HTTP/1.1! Host:service.example.com! Content-Type: application/x-www-form-urlencoded! ! grant_type=authorization_code&! code=n0esc3NRze7LTCu7iYzS6a5acc3f0ogp4&! client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt- bearer! client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6IjIyIn0.! eyJpc3Mi[...omitted for brevity...].! cC4hiUPo[...omitted for brevity...]! Authentication Example OAuth 2 access token request with JWT!
- 37. Validating the JWT! ! • iss (required): Unique issuer identity claim.! • sub (required): Identity the token subject! • Authorization: ID of a valid delegate. ! • Authentication: The OAuth 2 client ID.! • aud (required): Identity of the authorization server, such as the URI endpoint. !
- 38. Validating the JWT! ! • exp (required): Expiration to limit the time that the JWT can be used.! • nbf (optional): Time before which token must not be accepted.! • jti (optional): Uniquely identifies the token.! • other claims (optional): Any other claims may be present.!
- 39. Validating the JWT! ! • Digitally signed / Message Authentication Code: A valid signature / MAC must be present.! • Valid JWT: Must conform to the makeup of a JWT.!
- 40. Links and MoreInformation! • Specifications: ! • JWT: https://tools.ietf.org/html/rfc7519! • JWT / OAuth2: https://tools.ietf.org/html/rfc7523! • JSON Web Encryption: https://tools.ietf.org/html/ rfc7516! • JWT Website: https://jwt.io/! • jsonwebtoken NPM module: https://www.npmjs.com/package/ jsonwebtoken!
- 41. Thank You!! Slides: slideshare.net/jcleblanc! JonathanLeBlanc ! Twitter: @jcleblanc ! Book: http://bit.ly/iddatasecurity!