SlideShare a Scribd company logo

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

iMasters
iMasters

The document discusses JSON Web Tokens (JWTs) and their application in authentication and authorization, along with various related technologies and concepts, such as OAuth, CSRF protection, and stateless authentication. It outlines the structure of a JWT including the header, claims, and signature, and emphasizes their advantages in cross-language compatibility and security. Additionally, it provides resources for further learning and practical examples of JWT implementation.

Education
1 of 33
Downloaded 29 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
JSON WEB TOKEN
Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation
@ivanrosolen
Authentication
- Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies
- Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions
API
- Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer
- Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL
JOSE
- JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption
Advantages
- JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)
Anatomy
header.claims.signature
Header { "typ": "JWT", "alg": "HS256" }
Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }
JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 .
JWS - header - claims payload base64(header) . base64(claims)
JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’
Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');
JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 . M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMT Y3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==
Screencast Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos. https://www.youtube.com/watch?v=k3KfK0ZS_FY
Warning!
Code
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
Github - Session - JWT - JOSE
Refs
Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session
????
OBRIGADO! Visite phpsp.org.br https://joind.in/talk/05eb0

More Related Content

What's hot (19)

PDF
Json web token
Mayank Patel
 
PDF
Json web token api authorization
Giulio De Donato
 
PDF
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
PDF
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
PPTX
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
PPTX
Token Based Authentication Systems
Hüseyin BABAL
 
PPTX
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
PDF
Protecting Java Microservices: Best Practices and Strategies
Rodrigo Cândido da Silva
 
PDF
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
PDF
Javascript Object Signing & Encryption
Aaron Zauner
 
PDF
Applying Security Controls on REST APIs
Erick Belluci Tedeschi
 
PPTX
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu
 
PPTX
Top 10 Web Hacks 2012
Matt Johansen
 
PPTX
W3 conf hill-html5-security-realities
Brad Hill
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
PHP Identity and Data Security
Jonathan LeBlanc
 
PPTX
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
PPTX
Java Session
AathikaJava
 
PDF
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
Json web token
Mayank Patel
 
Json web token api authorization
Giulio De Donato
 
What are JSON Web Tokens and Why Should I Care?
Derek Edwards
 
iMasters Intercon 2016 - Identity within Microservices
Erick Belluci Tedeschi
 
Securing Single Page Applications with Token Based Authentication
Stefan Achtsnit
 
Token Based Authentication Systems
Hüseyin BABAL
 
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Protecting Java Microservices: Best Practices and Strategies
Rodrigo Cândido da Silva
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
Codemotion
 
Javascript Object Signing & Encryption
Aaron Zauner
 
Applying Security Controls on REST APIs
Erick Belluci Tedeschi
 
Ignite Talk: I AM a robot, how do I log in?
VMware Tanzu
 
Top 10 Web Hacks 2012
Matt Johansen
 
W3 conf hill-html5-security-realities
Brad Hill
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PHP Identity and Data Security
Jonathan LeBlanc
 
Secure Payments Over Mixed Communication Media
Jonathan LeBlanc
 
Java Session
AathikaJava
 
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 

Viewers also liked (16)

PPT
Web 2.0 - From a Social to a Service Web
Jury Konga
 
PDF
PHP Experience 2016 - [Palestra] Keynote: PHP-7
iMasters
 
PDF
PHP Experience 2016 - [Workshop] Deploy escalável na Amazon AWS
iMasters
 
PDF
PHP Experience 2016 - [Palestra] Melhorando a comunicação da API através de DSL
iMasters
 
PDF
PHP Experience 2016 - [Palestra] Autenticação em APIs
iMasters
 
PDF
Waw - Gas
impactaeventos
 
PDF
PHP Experience 2016 - [Workshop] APIs bem desenhadas como base para integrações
iMasters
 
PDF
Boas práticas de API Design
Caio Ribeiro Pereira
 
PPTX
PHP Experience 2016 - [Workshop] Agile: Test Driven Development
iMasters
 
PDF
PHP Experience 2016 - [Palestra] Rumo à Certificação PHP
iMasters
 
PDF
How to scale PHP applications
Enrico Zimuel
 
ODP
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
vvaswani
 
PDF
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
iMasters
 
PDF
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
PPSX
What I learnt: Elastic search & Kibana : introduction, installtion & configur...
Rahul K Chauhan
 
PDF
Integrating React.js Into a PHP Application
Andrew Rota
 
Web 2.0 - From a Social to a Service Web
Jury Konga
 
PHP Experience 2016 - [Palestra] Keynote: PHP-7
iMasters
 
PHP Experience 2016 - [Workshop] Deploy escalável na Amazon AWS
iMasters
 
PHP Experience 2016 - [Palestra] Melhorando a comunicação da API através de DSL
iMasters
 
PHP Experience 2016 - [Palestra] Autenticação em APIs
iMasters
 
Waw - Gas
impactaeventos
 
PHP Experience 2016 - [Workshop] APIs bem desenhadas como base para integrações
iMasters
 
Boas práticas de API Design
Caio Ribeiro Pereira
 
PHP Experience 2016 - [Workshop] Agile: Test Driven Development
iMasters
 
PHP Experience 2016 - [Palestra] Rumo à Certificação PHP
iMasters
 
How to scale PHP applications
Enrico Zimuel
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
vvaswani
 
PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP
iMasters
 
Stateless token-based authentication for pure front-end applications
Alvaro Sanchez-Mariscal
 
What I learnt: Elastic search & Kibana : introduction, installtion & configur...
Rahul K Chauhan
 
Integrating React.js Into a PHP Application
Andrew Rota
 
Ad

Similar to PHP Experience 2016 - [Palestra] Json Web Token (JWT) (20)

PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
PPTX
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
PDF
Securing Web Applications with Token Authentication
Stormpath
 
PPTX
Building Secure User Interfaces With JWTs
robertjd
 
PDF
Jwt the complete guide to json web tokens
remayssat
 
PPTX
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
PPTX
Token Authentication for Java Applications
Stormpath
 
PDF
Authorization Using JWTs
ForgeRock Identity Tech Talks
 
PDF
JSON WEB TOKEN
Knoldus Inc.
 
PPTX
JWT Authentication with AngularJS
robertjd
 
PPT
Web Attacks - Top threats - 2010
Shreeraj Shah
 
PPTX
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
PDF
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
PPTX
Spa Secure Coding Guide
Geoffrey Vandiest
 
PDF
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
PPTX
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
 
PDF
jwt.pdf
kveeru4
 
PDF
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
PDF
Jwt Security
Seid Yassin
 
PPTX
Is your mobile app as secure as you think?
Matt Lacey
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
Erick Belluci Tedeschi
 
Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...
Uniface
 
Securing Web Applications with Token Authentication
Stormpath
 
Building Secure User Interfaces With JWTs
robertjd
 
Jwt the complete guide to json web tokens
remayssat
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
Token Authentication for Java Applications
Stormpath
 
Authorization Using JWTs
ForgeRock Identity Tech Talks
 
JSON WEB TOKEN
Knoldus Inc.
 
JWT Authentication with AngularJS
robertjd
 
Web Attacks - Top threats - 2010
Shreeraj Shah
 
OWASP Free Training - SF2014 - Keary and Manico
Eoin Keary
 
Jwt with flask slide deck - alan swenson
Jeffrey Clark
 
Spa Secure Coding Guide
Geoffrey Vandiest
 
Introduction to JWT and How to integrate with Spring Security
Bruno Henrique Rother
 
Roberto Bicchierai - Defending web applications from attacks
Pietro Polsinelli
 
jwt.pdf
kveeru4
 
[4developers2016] - Security in the era of modern applications and services (...
PROIDEA
 
Jwt Security
Seid Yassin
 
Is your mobile app as secure as you think?
Matt Lacey
 
Ad

More from iMasters (20)

PPTX
O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
iMasters
 
PDF
Postgres: wanted, beloved or dreaded? - Fabio Telles
iMasters
 
PPTX
Por que minha query esta lenta? - Suellen Moraes
iMasters
 
PPTX
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
iMasters
 
PDF
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
iMasters
 
PPTX
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
iMasters
 
PDF
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
iMasters
 
PDF
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
iMasters
 
PDF
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
iMasters
 
PDF
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
iMasters
 
PDF
Entendendo os porquês do seu servidor - Talita Bernardes
iMasters
 
PDF
Backend performático além do "coloca mais máquina lá" - Diana Arnos
iMasters
 
PPTX
Dicas para uma maior performance em APIs REST - Renato Groffe
iMasters
 
PPTX
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
iMasters
 
PDF
Quem se importa com acessibilidade Web? - Mauricio Maujor
iMasters
 
PDF
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
iMasters
 
PDF
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
iMasters
 
PDF
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
iMasters
 
PDF
Construindo aplicações mais confiantes - Carolina Karklis
iMasters
 
PDF
Monitoramento de Aplicações - Felipe Regalgo
iMasters
 
O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro
iMasters
 
Postgres: wanted, beloved or dreaded? - Fabio Telles
iMasters
 
Por que minha query esta lenta? - Suellen Moraes
iMasters
 
Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...
iMasters
 
ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves
iMasters
 
SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...
iMasters
 
Arquitetando seus dados na prática para a LGPD - Alessandra Martins
iMasters
 
O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...
iMasters
 
Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud
iMasters
 
Use MDD e faça as máquinas trabalharem para você - Andreza Leite
iMasters
 
Entendendo os porquês do seu servidor - Talita Bernardes
iMasters
 
Backend performático além do "coloca mais máquina lá" - Diana Arnos
iMasters
 
Dicas para uma maior performance em APIs REST - Renato Groffe
iMasters
 
7 dicas de desempenho que equivalem por 21 - Danielle Monteiro
iMasters
 
Quem se importa com acessibilidade Web? - Mauricio Maujor
iMasters
 
Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva
iMasters
 
Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti
iMasters
 
Elasticidade e engenharia de banco de dados para alta performance - Rubens G...
iMasters
 
Construindo aplicações mais confiantes - Carolina Karklis
iMasters
 
Monitoramento de Aplicações - Felipe Regalgo
iMasters
 

Recently uploaded (20)

PDF
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
PDF
Governor Josh Stein letter to NC delegation of U.S. House
Mebane Rash
 
PPTX
Introduction to Biochemistry & Cellular Foundations.pptx
marvinnbustamante1
 
PPTX
DIGITAL CITIZENSHIP TOPIC TLE 8 MATATAG CURRICULUM
ROBERTAUGUSTINEFRANC
 
PPTX
Nitrogen rule, ring rule, mc lafferty.pptx
nbisen2001
 
PPTX
infertility, types,causes, impact, and management
Ritu480198
 
PPTX
Controller Request and Response in Odoo18
Celine George
 
PDF
Mahidol_Change_Agent_Note_2025-06-27-29_MUSEF
Tassanee Lerksuthirat
 
PDF
AI-Powered-Visual-Storytelling-for-Nonprofits.pdf
TechSoup
 
PDF
Introduction presentation of the patentbutler tool
MIPLM
 
PPTX
DAY 1_QUARTER1 ENGLISH 5 WEEK- PRESENTATION.pptx
BanyMacalintal
 
PDF
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
PDF
STATEMENT-BY-THE-HON.-MINISTER-FOR-HEALTH-ON-THE-COVID-19-OUTBREAK-AT-UG_revi...
nservice241
 
PPTX
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
PPTX
Post Dated Cheque(PDC) Management in Odoo 18
Celine George
 
PDF
Council of Chalcedon Re-Examined
Smiling Lungs
 
PDF
Horarios de distribución de agua en julio
pegazohn1978
 
PDF
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
PPTX
How to Create a Customer From Website in Odoo 18.pptx
Celine George
 
PPTX
PPT-Q1-WEEK-3-SCIENCE-ERevised Matatag Grade 3.pptx
reijhongidayawan02
 
The History of Phone Numbers in Stoke Newington by Billy Thomas
History of Stoke Newington
 
Governor Josh Stein letter to NC delegation of U.S. House
Mebane Rash
 
Introduction to Biochemistry & Cellular Foundations.pptx
marvinnbustamante1
 
DIGITAL CITIZENSHIP TOPIC TLE 8 MATATAG CURRICULUM
ROBERTAUGUSTINEFRANC
 
Nitrogen rule, ring rule, mc lafferty.pptx
nbisen2001
 
infertility, types,causes, impact, and management
Ritu480198
 
Controller Request and Response in Odoo18
Celine George
 
Mahidol_Change_Agent_Note_2025-06-27-29_MUSEF
Tassanee Lerksuthirat
 
AI-Powered-Visual-Storytelling-for-Nonprofits.pdf
TechSoup
 
Introduction presentation of the patentbutler tool
MIPLM
 
DAY 1_QUARTER1 ENGLISH 5 WEEK- PRESENTATION.pptx
BanyMacalintal
 
Stokey: A Jewish Village by Rachel Kolsky
History of Stoke Newington
 
STATEMENT-BY-THE-HON.-MINISTER-FOR-HEALTH-ON-THE-COVID-19-OUTBREAK-AT-UG_revi...
nservice241
 
CATEGORIES OF NURSING PERSONNEL: HOSPITAL & COLLEGE
PRADEEP ABOTHU
 
Post Dated Cheque(PDC) Management in Odoo 18
Celine George
 
Council of Chalcedon Re-Examined
Smiling Lungs
 
Horarios de distribución de agua en julio
pegazohn1978
 
QNL June Edition hosted by Pragya the official Quiz Club of the University of...
Pragya - UEM Kolkata Quiz Club
 
How to Create a Customer From Website in Odoo 18.pptx
Celine George
 
PPT-Q1-WEEK-3-SCIENCE-ERevised Matatag Grade 3.pptx
reijhongidayawan02
 

PHP Experience 2016 - [Palestra] Json Web Token (JWT)