Portable Sessions with JSON Web Tokens

Video in TIB AV-Portal: Portable Sessions with JSON Web Tokens

Formal Metadata

Portable Sessions with JSON Web Tokens
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Ever wonder why applications use sessions and APIs use tokens? Must there really be a difference? JSON Web Tokens are an emerging standard for portable secure messages. We'll talk briefly about how they're built and how they earn your trust, then dig into some practical examples you can take back and apply to your own majestic monolith or serious services.
Web 2.0 Token ring Token ring Cycle (graph theory) Rule of inference
Service (economics) Personal digital assistant Code Workstation <Musikinstrument> Video game Damping Right angle
Web page Gateway (telecommunications) Service (economics) State of matter Token ring Multiplication sign Numbering scheme Mereology Rule of inference Centralizer and normalizer Resource allocation Physical system Form (programming) Mobile app Standard deviation Software developer Web page Projective plane Moment (mathematics) Shared memory Data storage device Lattice (order) Word Charge carrier Point cloud Website Right angle Summierbarkeit Quicksort HTTP cookie Library (computing)
Web page Domain name Trail Divisor Token ring Web browser Mereology Login Facebook Medical imaging Different (Kate Ryan album) Password Right angle HTTP cookie
Authentication Email Server (computing) Dependent and independent variables Multiplication sign Set (mathematics) Bit Web browser Cartesian coordinate system Electronic signature Electronic signature Message passing Diagram HTTP cookie Message passing Communications protocol HTTP cookie
Point (geometry) Email Dependent and independent variables Randomization Server (computing) Game controller Dependent and independent variables Token ring Multiplication sign Forcing (mathematics) Token ring Database Web browser Content (media) Login Medical imaging String (computer science) Authorization Right angle HTTP cookie Communications protocol
Email Email Token ring Token ring Content (media) Cryptography Query language Query language Authorization Authorization HTTP cookie Information security Information security HTTP cookie
Context awareness Token ring Open set Mass Electronic signature Metadata Different (Kate Ryan album) Computer worm Endliche Modelltheorie Message passing Identity management Execution unit Email Standard deviation Information File format Token ring Electronic mailing list Content (media) Planning Bit Connected space Message passing Logic Formal verification Right angle HTTP cookie Spacetime Computer worm
Multiplication sign Token ring Plastikkarte Shape (magazine) Plastikkarte Number Electronic signature Web 2.0 Internetworking Authorization System identification Information security Information security Library (computing) Address space
Email Pairwise comparison Email Token ring Real number Strut Characteristic polynomial Token ring Cryptography Structured programming Message passing Sign (mathematics) String (computer science) System programming Query language Authorization Authorization HTTP cookie Quicksort Information security Table (information) HTTP cookie Identity management Physical system
Multiplication sign 1 (number) Client (computing) Open set Special unitary group Formal language Mathematics Response time (technology) Sign (mathematics) Shared memory Formal verification Distributed computing HTTP cookie Identity management Physical system Chi-squared distribution Rotation Email File format Token ring Data storage device 3 (number) Bit Public-key cryptography Message passing Arithmetic mean Process (computing) Authorization Bounded variation Physical system Asynchronous Transfer Mode Server (computing) Service (economics) Token ring Real number Authentication Image processing Spiral Password Web browser Login Number Finite element method String (computer science) Authorization Computer architecture Authentication Dependent and independent variables Scaling (geometry) Matching (graph theory) Key (cryptography) Surface Weight Database Configuration management System call Word Software Query language Calculation HTTP cookie Library (computing)
Email Complex (psychology) Game controller Group action Implementation Randomization Token ring Multiplication sign 1 (number) Password Login Field (computer science) Metadata Revision control Mathematics Goodness of fit Dedekind cut Hypermedia String (computer science) Endliche Modelltheorie Data conversion Identity management Fingerprint Physical system Authentication Dependent and independent variables Standard deviation Email Arm Kolmogorov complexity Surface Token ring Login 3 (number) Database Cartesian coordinate system Timestamp Subject indexing Message passing Logic Password Configuration space Data conversion Right angle Table (information) Family
Authentication Source code Complex (psychology) Service (economics) Authentication Website
Point (geometry) Slide rule Presentation of a group Mobile app Server (computing) Group action Service (economics) Observational study Confidence interval Token ring Multiplication sign Decision theory System administrator Numbering scheme Drop (liquid) Disk read-and-write head Login Mereology Web 2.0 Different (Kate Ryan album) Endliche Modelltheorie Error message Information security Physical system Form (programming) Authentication Curve Email Key (cryptography) Information Moment (mathematics) Line (geometry) Electronic signature Category of being Cache (computing) Word Process (computing) Query language Window Library (computing)
Coma Berenices Power (physics)
this is a rule here a very good morning the and it started people come from the hallway still out of money was let's to here by 1 learn Jason went tokens so in the right place when a cycle about what they are and why they exist and maybe who cares so the tokens these days on the bill for the web it I
NMI scratch that now that your room come at offer you a special in mind the ground floor of my so there's a theater in the case the log in and see the face probably worries on this somewhere in his life these services vertical that is
the funny thing is really going on and on the stage so while you're all hired by you know the interview you pass the code and how users a conference right so and in your face is all stations there I was always quality when we're working with and was I
use word or the little out of sorts of centrality is the right solar radiation I personally think of them as a developer 2003 religion is breast College College has started small like 3 of you in a certain right and then the error of nasty just wrapped up slowly all at once so the picture on the moment the in the back in the late stages of the something happened to us is that the the over I don't know if you know the the the lion's share of states for the most part stories but currently working with hundreds of only the 1st project called carriers often which is often use magic of the word we'll sentences as the library to the top so it was that this page
comes in the form the standard rules allocation so we we have a meeting with their friends the chase assay systems are the faces of the where users can change the world that we deploy that while you love this is 1 problem of the legacy of this girl who would process native that stores so easy right we may be I the wireless and relax and even at the time of flight to site and licensing for related these days but there's always a hat you know this is just or maybe instead of 1 is the 1 that has that what matters is that the cloud raises is there it's running the words the sum all the way that we can use cookies for so we can move away from the so that would usually here pulses over there there's this uneasy feeling that there's something so what we did with the finger on it and is going but it turns out we've actually implemented to publications and that so this is actually that of the working with moving and as no surprise to those of you in the title that's all I need the services which are not so let's try it out and we build this API gateway from but is a written in rails the speed cookies or tokens of both we have to retrofit are authentication schemes into its are we on our own and we have helped remove something else I mean what happens now well it's a step back and consider the problem of these cookies tokens actor trying to solve How do we even get here Signed ask what you do
is walking in what happens what are the producing tokens doing but what's together the we
say starts here with a username and password these days can also be the Facebook again however google or some other off provided but published still always passwords turns out that's not really the part we care about what we care about is how we keep track so here's the classic way of keeping track of browser logs in we send back a cookie and browsers know about cookies they don't include them on every request factor a domain so every request for face on page is logged in and we can show your face back I mean the requests that what JavaScript and CSS images are also during these cookies that's different talk right the the simplest explanation for cookies
is they had a protocol when the server responds with a Set Cookie header the browser knows to include backed In the Cookie header every feature requests but is time to consider the elephant in the room you what kinds of cookies bodies really I mean when we diagram the because this usually look like this chocolate chip or maybe holds for lunch on but this is how we should think of them as fortune cookies with a message inside as or rails uses this bits of data in the browser and we can crack 1 open and see what's
inside here's what you might actually see in actual Rails application it's an encoded message with the signature and you can spilled apart on the double hyphens right there here's what's inside there's a user ID this after all because with cooking authentication you need that kind of thing and the signature that we can use just make sure that as the the so there we go cookies far
headers on HTTP responses requests that do things like Transport user ID back and forth and that's the login story we care about right now the so what's happening with the tokens and API side of things all 1 common convention might look like this the server responds to login request with some random string images on body will say and again a device sends it back on future requests but this time in the Authorization header now these tokens are
OK the the random strings they have no meaning and so we use them to find something more interesting like the user ID and this is good but not great but on the upside like we delete these tokens to revoke access at any point we have some control over that on the downside every API the novels database query this is by the way how rail sessions used to work if the force which the cookies at was a performance problem the browser submitted a session ID and use that actually find the session from the database rights was
put together what we've learned the rail session cookie is a cookie header the API tokens use Authorization header the rail session cookie is structured data but the API is just an opaque random strength the real session the can be verified that cryptography the API token is security through queries so can you imagine best of both worlds
to someone tokens it's signed structured data
is rather similar to real signed cookies we added a 3rd segment the Federal and this just describes the format of the token we can decode the message when you're looking at here are called token claims now the cold claims to give you a bit of skepticism because you actually have to assert that these claims are true before you can trust here's a list of common plants you can see that
the heavily abbreviated and the reason is because Jason somewhat tokens are designed to fit in headers and other character limited small spaces so they have to save on bytes for your more interesting content all the planes in the left for what I consider metadata the claims necessary verify that token may be used to properly in different situations models go through these the issuer describes the party that generated and signed the talk audience describes a party that the message is intended for these might be the same thing you might not issue that on token was created and expirations when the token should be ignored they can have a lifetime the claims of the right or what I consider the payload and this is the information the pr want to extract for your business logic now you can put anything you want in here as long as the issue in audience agreed on what it means the the common 1 that a lot of issuers audiences agree on is the subject and this is meant to identify the party the mass is about or the person who owns the token person has it and this is where we put the user ID so the j somewhat token standard is a pretty generic thing is just a spec for sending secure messages but 1 of its primary uses is the identity actually evolved in the context of all often open ID connectives and all you can see a lot of that in on but the claims that are built into it so we can actually imagine that kind of like Rails cookies API tokens think of it
as an ID card just like an ID card makes number of claims and it contains some security features this ID card has an issue or from the internet so this subject the name as exploration and issued dates and has pre sweet little official stamp security on but it's actually up to you to check the card and detect forgeries make sure that you can actually take this identification the so here's how you do it
1 is it from someone that we recognize as an authority check the issue was intended for me check the audience has expired check the expiration is a forgery check the signature can you recreate the signature based on most nights and last but not least was it generated before where after that time we had to change our secret because we publish a target of it we then you can check issue that for that but he cancels 5 questions you're in pretty good shape and the good news is that you can get a library to just do this for you but so we've learned that Jason web
tokens are secure messages like a real sign session cookie we learn that they contain claims that we need a verified and we've learned about the most important claims and what they represent since talk about what we can do with them we've already mentioned identity tokens so was continue from there 1 of the
problems we had in our face the was that people could authentication system so the adjacent somewhat tokens can help 1st let's add due somewhat of sort comparison table so while the rails cookies are tied to the Cookie header an API tokens use the Authorization header RJ somewhat tokens are ready for they don't care the rails cookies that were structured data Signed with cryptography and that's actually good so participant tokens share those characteristics so if we use the
identity Jason token for logging it might look like this presence is the login rails response of adjacent word token in a cookie the GWT contains the user ID as a subject not free to request the browser just sends it back in the cookie In this looks pretty familiar and a good thing we actually have an change our headers or the relationship between the browser and server were still using cookies we just change the format of the message inside the cookie and on API we can drop it in here as well there's no change to the client the soldiers sending a string back and forth now the string is adjacent word token has structured data it has meaning is not random and server can do something with it so this is the j somewhat talking
solutions 1 token 2 headers 1 authentication system it is no matter whether the server finds a token cookie or inside Authorization header it can still handle that value exactly the same and set the current user for the duration of the request but problem number 2 in our face the death previously the API had to execute a query on every request just discover who was making it and now are API can verify the t With the claims and photography so this replaces the network bound database bottleneck process with a straightforward CPU-bound calculation this will perform faster this'll scale better this introduce less variation to response times and generally does have fewer failure modes so problem with 3 our cookies were implemented for rail spirals now don't get me wrong with the fall real session stores wonderful it's it works it's hidden it is secure is very well designed it does the job of means to do but it is tightly coupled to rails it is tightly coupled cookies and it's kind of tightly coupled to majestic modelis so famous things don't work for you you have to ask yourself what's next J. libraries are implemented in the least 20 languages the decoupled from the cookies and they contain claims that you can use it to build any kind of distribute architecture so they're they're more flexible to more general purpose solution problem over 4 in a distributed architecture are you might find yourself sharing secrets so that when you sign a message of 1 system you can verify on another and this involves trusted backchannels like copy and paste the body of configuration management systems in know the secret exist in more places but it's a bigger attack surface if anyone places compromise that secret can be used to tackle the other places as well so what did you sign leptons offer the they support of asymmetric he algorithms cult like are now this image process used by rails sign cookies is called each match you give it a salt enhances the cookie you take that soul rehash weighted verifies know the required set up for our say as little bit different the server signing key Senate token needs special or as a key not just a random salt the use of the private key assignment OK but then it actually published the public key on a free and open http endpoint using this back like J. somebody's when some audience of some other server receives the message and what it can do is go fetch the public key user to verify them and cash that forever so 1 the steep call automatically shares the secret but some secret is the public key so this is this investment means that you don't need to share secrets is all the more up front the operational costs lower this means there's no copy and paste between systems used that's the key over HTTP there's no super coordinated lockstep deployed process we need to change it on both places at the same time without dropping messages in the this also reduces the attack surface a lost secret can only attack the service that week this can actually prepare you for some really nifty like automatic key rotation stuff and I think is that right now the other works of happy to talk about confined their conference problem 5 9 you thought you about how passive resets work I generate and the token it's a nonce it's a random string you verify new controller and many regenerate a new token to expire the old ones that you send out to make sure that people can hack the system of and when you think about it is actually a 3rd authentication system it works a lot like the opaque API tokens and again it's implemented as 1 of so here's how I
build a passive reset G. somewhat of 1st start with a standard identity tokens this contains the metadata claims and the subject then I add the scope claim now I looked around this Some doesn't seem to be standard on I can better ones arms kaleidoscope media here is that all configure my passes controller to accept tokens with the scope not configure the rest of application to reject tokens with the scope or any of the scope doesn't seem appropriate for them then I am not optimistic walk now an optimistic lot is where you keep some kind of a version every time the field updates increment that version anyone wants to make a change has to tell you what the current version is this way you make sure that they don't overwrite something that changed without their knowledge and you can achieve this was just using a timestamp so that's what I've done here by maintaining a users password change that field it is also good brother features and then verified against the token if it matches it to go and this effectively has a of this effectively also expires the old reset since a password changes so but
once again we can upgrade opaque tokens into structured signed data this is 1 must field and users table this is 1 last index for your queries but but even better is that we've absorbed a 3rd authentication system by teaching arches somewhat of an back and about scopes and by teaching a passage controller about optimistic locks the problem resist as suppose that you're sending e-mails with surveillance or some other have strong called action really these eclectic and you need to know who is making that so if you don't help them at all they're going to hit a login wall and maybe they're on the phone so they don't want hybrid and they just come back later or they don't send your conversion drops so maybe you implement random strings opaque tokens connect them back to the user just like the API system miss something pretty familiar right so we can just generalize the passive reset solutions all we need is a skull claim it sounds like I'm suggesting that we send user sessions through e-mail and yet actually as is and suggesting I mean that's based it with a randomly generated 1 half random strings are doing they're giving a login session by e-mail on but this 1 is built into our authentication system is not a one-off implementation that you can forget about right problem set and your applications on doing lots of stuff and your including a lot of this common standard authentication feature stuff as if it's a long somehow unique the inferencing database that can be affected by every deploy every upgrade and all this complexity is in 1 spot which makes a lot harder to audit your attack surface and understand where you need to remain secure and was not forget the always present user got model and user model of can control so they were born ready for this this is why the issue an audience claims success so they can be different things the issuer what's imagined takes responsibility for the account an account might be that the username and the password and the last time the passive was changed and how many times it failed the logic or any of that stuff lesion application responsible for a simpler uses model it just needs to relate to the user with an account of is actually I learned firsthand while
working on keratin often so which is kind where you get if device was rebuilt as a standalone authentication service it removes the complexity from you that relies heavily on choosing what tokens and use every trick I mentioned here and then some of the the cortex is pretty stable I think I've got some ideas for some advanced features so it is interesting to anybody I love chat about right in conclusion
of these of things that we take away from presentation 1 you can use Jason word tokens right now as a matter of if you have a with or services you Polly recognized 1 or more of these problems to Jason tokens have a low learning curve and a high-skill ceiling there's a lot more that you can do with and as you gain confidence above all do start somewhere the to apply to go home this conference the head full of ideas for things that you wish you could use your day job in all the school stuff you I try and maybe do some work tokens is 1 of those pick something learning by doing it try it out so and major knowledge real but
2000 militant requested B so the question is is of the user has been disabled by an admin since they logged in How can you immediately walk them out and make sure that um they don't come back you can create for example a blacklist and keep this temporary cache of invalidated tokens and you can if you choose to for critical actions implement a revalidation but yet the trade off is real the tradeoff is real if you keep authentication in a token their lives for 30 minutes or something that's the thing I do recognize these studies have a short life and that you regenerate frequently so the time window for that kind of problem small yes so again the the comment is that the checking this black was takes time also I recommend that deciding which endpoints are critical and validating for just those endpoints the problem 1 of things where it's OK if they can continue to read data for a few more minutes or maybe we you wanna do is protect that data and you can choose to revalidate were necessary well you can try to some word tokens in existing out by finding any kind of a token and seeing what how you replace so that's 1 way to China if you are trying authentication server then it helps to have an app with some kind of log in scheme where you just swap out the where the forms and that's so the form I submit your back and other forms of Mr. different back although the 2 ideas is there a drop in replacement of there isn't a library called knock and knock is like the vise with GWT but it's built into the model right so not occasion servers that run as a separate employment but not will use GWT and as part of the same model refreshing the tokens on with more tokens so the way that I've seen is where you you maintain a what's called access token and refreshed an access token is what you're sending to the API the refresh token is of more secure because is not used her very much for 1 thing it's use for is getting new access delegates so let's say that you access token is good for an hour I must say that you decide every 30 minutes way before that's going expire use refreshed to get a new 1 we can do is build revocation into that refresh system so the refresh maybe actually does rest query from acetyl query or something to make sure that it's still OK to generate new access tokens the dual token system means that 1 can have different security properties and the other is used for you really chatty protocols because likely and doesn't require queries and on there they're kept in different places different security properties yeah so that the commentary that idea was that and if you attempt to use a token and the error is that it's expired you might decide it's time to get a new 1 and as that we like the fail-safe I think that so aggressively repression before that happens is a nice physically a cleaner experience and if you refresh well enough you may or may not need that kind of last moment it's expired was given new 1 Our yeah that's the issue that check so in that kind of dire situation which we all is happening on there's really no going back you generate a new key and start using it and then I will use rollout this idea of an epoch and you say any token generated before this point in time I was using an older old I see that we don't trust anymore so if the issue that is before last friday when this happened and then just for away and that these people logged out 0 so the comment was that you might have multiple keys and said you need epoch perky urges and web tokens has a claim called TID so you can embed within each t a signature of the key that was being used and that will let you if you have I heard the revocation tell us exactly which 1 was being used and whether it's still trustworthy I'm for simple log in 4 sessions it's just when you saw uh it's the user ID if you choose to put them in a cooking they need also figure out CSR and you can put that Sister of token in the GWT because it's it's open like you can add more stuff into it and solve the same problems and actually not a big fan of but keeping a low data in sessions anyway so I wanna say on the slide it was like you know 2 or 3 lines it was maybe 50 per cent longer than a rails equivalent could of some people advocate for keeping more user information in there like are they in at hand what permissions to they have um was the name and e-mail you you can save more queries that way of the downside is as mentioned earlier you have to decide how much you care about that information to steal right I think that to the the 5th
power was what was