Merken

Portable Sessions with JSON Web Tokens

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
this is a rule here a very good morning the and it started people come from the hallway still out of money was let's to here by 1 learn Jason went tokens so in the right place when a cycle about what they are and why they exist and maybe who cares so the tokens these days on the bill for the web it I
NMI scratch that now that your room come at offer you a special in mind the ground floor of my so there's a theater in the case the log in and see the face probably worries on this somewhere in his life these services vertical that is
the funny thing is really going on and on the stage so while you're all hired by you know the interview you pass the code and how users a conference right so and in your face is all stations there I was always quality when we're working with and was I
use word or the little out of sorts of centrality is the right solar radiation I personally think of them as a developer 2003 religion is breast College College has started small like 3 of you in a certain right and then the error of nasty just wrapped up slowly all at once so the picture on the moment the in the back in the late stages of the something happened to us is that the the over I don't know if you know the the the lion's share of states for the most part stories but currently working with hundreds of only the 1st project called carriers often which is often use magic of the word we'll sentences as the library to the top so it was that this page
comes in the form the standard rules allocation so we we have a meeting with their friends the chase assay systems are the faces of the where users can change the world that we deploy that while you love this is 1 problem of the legacy of this girl who would process native that stores so easy right we may be I the wireless and relax and even at the time of flight to site and licensing for related these days but there's always a hat you know this is just or maybe instead of 1 is the 1 that has that what matters is that the cloud raises is there it's running the words the sum all the way that we can use cookies for so we can move away from the so that would usually here pulses over there there's this uneasy feeling that there's something so what we did with the finger on it and is going but it turns out we've actually implemented to publications and that so this is actually that of the working with moving and as no surprise to those of you in the title that's all I need the services which are not so let's try it out and we build this API gateway from but is a written in rails the speed cookies or tokens of both we have to retrofit are authentication schemes into its are we on our own and we have helped remove something else I mean what happens now well it's a step back and consider the problem of these cookies tokens actor trying to solve How do we even get here Signed ask what you do
is walking in what happens what are the producing tokens doing but what's together the we
say starts here with a username and password these days can also be the Facebook again however google or some other off provided but published still always passwords turns out that's not really the part we care about what we care about is how we keep track so here's the classic way of keeping track of browser logs in we send back a cookie and browsers know about cookies they don't include them on every request factor a domain so every request for face on page is logged in and we can show your face back I mean the requests that what JavaScript and CSS images are also during these cookies that's different talk right the the simplest explanation for cookies
is they had a protocol when the server responds with a Set Cookie header the browser knows to include backed In the Cookie header every feature requests but is time to consider the elephant in the room you what kinds of cookies bodies really I mean when we diagram the because this usually look like this chocolate chip or maybe holds for lunch on but this is how we should think of them as fortune cookies with a message inside as or rails uses this bits of data in the browser and we can crack 1 open and see what's
inside here's what you might actually see in actual Rails application it's an encoded message with the signature and you can spilled apart on the double hyphens right there here's what's inside there's a user ID this after all because with cooking authentication you need that kind of thing and the signature that we can use just make sure that as the the so there we go cookies far
headers on HTTP responses requests that do things like Transport user ID back and forth and that's the login story we care about right now the so what's happening with the tokens and API side of things all 1 common convention might look like this the server responds to login request with some random string images on body will say and again a device sends it back on future requests but this time in the Authorization header now these tokens are
OK the the random strings they have no meaning and so we use them to find something more interesting like the user ID and this is good but not great but on the upside like we delete these tokens to revoke access at any point we have some control over that on the downside every API the novels database query this is by the way how rail sessions used to work if the force which the cookies at was a performance problem the browser submitted a session ID and use that actually find the session from the database rights was
put together what we've learned the rail session cookie is a cookie header the API tokens use Authorization header the rail session cookie is structured data but the API is just an opaque random strength the real session the can be verified that cryptography the API token is security through queries so can you imagine best of both worlds
to someone tokens it's signed structured data
is rather similar to real signed cookies we added a 3rd segment the Federal and this just describes the format of the token we can decode the message when you're looking at here are called token claims now the cold claims to give you a bit of skepticism because you actually have to assert that these claims are true before you can trust here's a list of common plants you can see that
the heavily abbreviated and the reason is because Jason somewhat tokens are designed to fit in headers and other character limited small spaces so they have to save on bytes for your more interesting content all the planes in the left for what I consider metadata the claims necessary verify that token may be used to properly in different situations models go through these the issuer describes the party that generated and signed the talk audience describes a party that the message is intended for these might be the same thing you might not issue that on token was created and expirations when the token should be ignored they can have a lifetime the claims of the right or what I consider the payload and this is the information the pr want to extract for your business logic now you can put anything you want in here as long as the issue in audience agreed on what it means the the common 1 that a lot of issuers audiences agree on is the subject and this is meant to identify the party the mass is about or the person who owns the token person has it and this is where we put the user ID so the j somewhat token standard is a pretty generic thing is just a spec for sending secure messages but 1 of its primary uses is the identity actually evolved in the context of all often open ID connectives and all you can see a lot of that in on but the claims that are built into it so we can actually imagine that kind of like Rails cookies API tokens think of it
as an ID card just like an ID card makes number of claims and it contains some security features this ID card has an issue or from the internet so this subject the name as exploration and issued dates and has pre sweet little official stamp security on but it's actually up to you to check the card and detect forgeries make sure that you can actually take this identification the so here's how you do it
1 is it from someone that we recognize as an authority check the issue was intended for me check the audience has expired check the expiration is a forgery check the signature can you recreate the signature based on most nights and last but not least was it generated before where after that time we had to change our secret because we publish a target of it we then you can check issue that for that but he cancels 5 questions you're in pretty good shape and the good news is that you can get a library to just do this for you but so we've learned that Jason web
tokens are secure messages like a real sign session cookie we learn that they contain claims that we need a verified and we've learned about the most important claims and what they represent since talk about what we can do with them we've already mentioned identity tokens so was continue from there 1 of the
problems we had in our face the was that people could authentication system so the adjacent somewhat tokens can help 1st let's add due somewhat of sort comparison table so while the rails cookies are tied to the Cookie header an API tokens use the Authorization header RJ somewhat tokens are ready for they don't care the rails cookies that were structured data Signed with cryptography and that's actually good so participant tokens share those characteristics so if we use the
identity Jason token for logging it might look like this presence is the login rails response of adjacent word token in a cookie the GWT contains the user ID as a subject not free to request the browser just sends it back in the cookie In this looks pretty familiar and a good thing we actually have an change our headers or the relationship between the browser and server were still using cookies we just change the format of the message inside the cookie and on API we can drop it in here as well there's no change to the client the soldiers sending a string back and forth now the string is adjacent word token has structured data it has meaning is not random and server can do something with it so this is the j somewhat talking
solutions 1 token 2 headers 1 authentication system it is no matter whether the server finds a token cookie or inside Authorization header it can still handle that value exactly the same and set the current user for the duration of the request but problem number 2 in our face the death previously the API had to execute a query on every request just discover who was making it and now are API can verify the t With the claims and photography so this replaces the network bound database bottleneck process with a straightforward CPU-bound calculation this will perform faster this'll scale better this introduce less variation to response times and generally does have fewer failure modes so problem with 3 our cookies were implemented for rail spirals now don't get me wrong with the fall real session stores wonderful it's it works it's hidden it is secure is very well designed it does the job of means to do but it is tightly coupled to rails it is tightly coupled cookies and it's kind of tightly coupled to majestic modelis so famous things don't work for you you have to ask yourself what's next J. libraries are implemented in the least 20 languages the decoupled from the cookies and they contain claims that you can use it to build any kind of distribute architecture so they're they're more flexible to more general purpose solution problem over 4 in a distributed architecture are you might find yourself sharing secrets so that when you sign a message of 1 system you can verify on another and this involves trusted backchannels like copy and paste the body of configuration management systems in know the secret exist in more places but it's a bigger attack surface if anyone places compromise that secret can be used to tackle the other places as well so what did you sign leptons offer the they support of asymmetric he algorithms cult like are now this image process used by rails sign cookies is called each match you give it a salt enhances the cookie you take that soul rehash weighted verifies know the required set up for our say as little bit different the server signing key Senate token needs special or as a key not just a random salt the use of the private key assignment OK but then it actually published the public key on a free and open http endpoint using this back like J. somebody's when some audience of some other server receives the message and what it can do is go fetch the public key user to verify them and cash that forever so 1 the steep call automatically shares the secret but some secret is the public key so this is this investment means that you don't need to share secrets is all the more up front the operational costs lower this means there's no copy and paste between systems used that's the key over HTTP there's no super coordinated lockstep deployed process we need to change it on both places at the same time without dropping messages in the this also reduces the attack surface a lost secret can only attack the service that week this can actually prepare you for some really nifty like automatic key rotation stuff and I think is that right now the other works of happy to talk about confined their conference problem 5 9 you thought you about how passive resets work I generate and the token it's a nonce it's a random string you verify new controller and many regenerate a new token to expire the old ones that you send out to make sure that people can hack the system of and when you think about it is actually a 3rd authentication system it works a lot like the opaque API tokens and again it's implemented as 1 of so here's how I
build a passive reset G. somewhat of 1st start with a standard identity tokens this contains the metadata claims and the subject then I add the scope claim now I looked around this Some doesn't seem to be standard on I can better ones arms kaleidoscope media here is that all configure my passes controller to accept tokens with the scope not configure the rest of application to reject tokens with the scope or any of the scope doesn't seem appropriate for them then I am not optimistic walk now an optimistic lot is where you keep some kind of a version every time the field updates increment that version anyone wants to make a change has to tell you what the current version is this way you make sure that they don't overwrite something that changed without their knowledge and you can achieve this was just using a timestamp so that's what I've done here by maintaining a users password change that field it is also good brother features and then verified against the token if it matches it to go and this effectively has a of this effectively also expires the old reset since a password changes so but
once again we can upgrade opaque tokens into structured signed data this is 1 must field and users table this is 1 last index for your queries but but even better is that we've absorbed a 3rd authentication system by teaching arches somewhat of an back and about scopes and by teaching a passage controller about optimistic locks the problem resist as suppose that you're sending e-mails with surveillance or some other have strong called action really these eclectic and you need to know who is making that so if you don't help them at all they're going to hit a login wall and maybe they're on the phone so they don't want hybrid and they just come back later or they don't send your conversion drops so maybe you implement random strings opaque tokens connect them back to the user just like the API system miss something pretty familiar right so we can just generalize the passive reset solutions all we need is a skull claim it sounds like I'm suggesting that we send user sessions through e-mail and yet actually as is and suggesting I mean that's based it with a randomly generated 1 half random strings are doing they're giving a login session by e-mail on but this 1 is built into our authentication system is not a one-off implementation that you can forget about right problem set and your applications on doing lots of stuff and your including a lot of this common standard authentication feature stuff as if it's a long somehow unique the inferencing database that can be affected by every deploy every upgrade and all this complexity is in 1 spot which makes a lot harder to audit your attack surface and understand where you need to remain secure and was not forget the always present user got model and user model of can control so they were born ready for this this is why the issue an audience claims success so they can be different things the issuer what's imagined takes responsibility for the account an account might be that the username and the password and the last time the passive was changed and how many times it failed the logic or any of that stuff lesion application responsible for a simpler uses model it just needs to relate to the user with an account of is actually I learned firsthand while
working on keratin often so which is kind where you get if device was rebuilt as a standalone authentication service it removes the complexity from you that relies heavily on choosing what tokens and use every trick I mentioned here and then some of the the cortex is pretty stable I think I've got some ideas for some advanced features so it is interesting to anybody I love chat about right in conclusion
of these of things that we take away from presentation 1 you can use Jason word tokens right now as a matter of if you have a with or services you Polly recognized 1 or more of these problems to Jason tokens have a low learning curve and a high-skill ceiling there's a lot more that you can do with and as you gain confidence above all do start somewhere the to apply to go home this conference the head full of ideas for things that you wish you could use your day job in all the school stuff you I try and maybe do some work tokens is 1 of those pick something learning by doing it try it out so and major knowledge real but
2000 militant requested B so the question is is of the user has been disabled by an admin since they logged in How can you immediately walk them out and make sure that um they don't come back you can create for example a blacklist and keep this temporary cache of invalidated tokens and you can if you choose to for critical actions implement a revalidation but yet the trade off is real the tradeoff is real if you keep authentication in a token their lives for 30 minutes or something that's the thing I do recognize these studies have a short life and that you regenerate frequently so the time window for that kind of problem small yes so again the the comment is that the checking this black was takes time also I recommend that deciding which endpoints are critical and validating for just those endpoints the problem 1 of things where it's OK if they can continue to read data for a few more minutes or maybe we you wanna do is protect that data and you can choose to revalidate were necessary well you can try to some word tokens in existing out by finding any kind of a token and seeing what how you replace so that's 1 way to China if you are trying authentication server then it helps to have an app with some kind of log in scheme where you just swap out the where the forms and that's so the form I submit your back and other forms of Mr. different back although the 2 ideas is there a drop in replacement of there isn't a library called knock and knock is like the vise with GWT but it's built into the model right so not occasion servers that run as a separate employment but not will use GWT and as part of the same model refreshing the tokens on with more tokens so the way that I've seen is where you you maintain a what's called access token and refreshed an access token is what you're sending to the API the refresh token is of more secure because is not used her very much for 1 thing it's use for is getting new access delegates so let's say that you access token is good for an hour I must say that you decide every 30 minutes way before that's going expire use refreshed to get a new 1 we can do is build revocation into that refresh system so the refresh maybe actually does rest query from acetyl query or something to make sure that it's still OK to generate new access tokens the dual token system means that 1 can have different security properties and the other is used for you really chatty protocols because likely and doesn't require queries and on there they're kept in different places different security properties yeah so that the commentary that idea was that and if you attempt to use a token and the error is that it's expired you might decide it's time to get a new 1 and as that we like the fail-safe I think that so aggressively repression before that happens is a nice physically a cleaner experience and if you refresh well enough you may or may not need that kind of last moment it's expired was given new 1 Our yeah that's the issue that check so in that kind of dire situation which we all is happening on there's really no going back you generate a new key and start using it and then I will use rollout this idea of an epoch and you say any token generated before this point in time I was using an older old I see that we don't trust anymore so if the issue that is before last friday when this happened and then just for away and that these people logged out 0 so the comment was that you might have multiple keys and said you need epoch perky urges and web tokens has a claim called TID so you can embed within each t a signature of the key that was being used and that will let you if you have I heard the revocation tell us exactly which 1 was being used and whether it's still trustworthy I'm for simple log in 4 sessions it's just when you saw uh it's the user ID if you choose to put them in a cooking they need also figure out CSR and you can put that Sister of token in the GWT because it's it's open like you can add more stuff into it and solve the same problems and actually not a big fan of but keeping a low data in sessions anyway so I wanna say on the slide it was like you know 2 or 3 lines it was maybe 50 per cent longer than a rails equivalent could of some people advocate for keeping more user information in there like are they in at hand what permissions to they have um was the name and e-mail you you can save more queries that way of the downside is as mentioned earlier you have to decide how much you care about that information to steal right I think that to the the 5th
power was what was
Benutzerbeteiligung
Token-Ring
Dreiecksfreier Graph
Token-Ring
Schlussregel
Computeranimation
Videospiel
Dienst <Informatik>
Dämpfung
Rechter Winkel
Arbeitsplatzcomputer
Code
Computeranimation
Betriebsmittelverwaltung
Zentralisator
Web Site
Gewichtete Summe
Momentenproblem
Gemeinsamer Speicher
App <Programm>
Computeranimation
Homepage
Homepage
Bildschirmmaske
Programmbibliothek
Gateway
Softwareentwickler
Speicher <Informatik>
Freier Ladungsträger
Schlussregel
Nummerung
Token-Ring
Physikalisches System
Quick-Sort
Dienst <Informatik>
Token-Ring
Verbandstheorie
Rechter Winkel
Mereologie
Cookie <Internet>
Projektive Ebene
Wort <Informatik>
Streuungsdiagramm
Aggregatzustand
Standardabweichung
Facebook
Subtraktion
Browser
Token-Ring
Login
Teilbarkeit
Computeranimation
Homepage
Weg <Topologie>
Domain-Name
Rechter Winkel
Mereologie
Cookie <Internet>
Passwort
Bildgebendes Verfahren
Bit
Protokoll <Datenverarbeitungssystem>
Konvexe Hülle
Browser
Cookie <Internet>
Kartesische Koordinaten
Elektronische Unterschrift
Computeranimation
Endogene Variable
Message-Passing
Diagramm
Elektronische Unterschrift
Menge
Server
Cookie <Internet>
Authentifikation
E-Mail
Message-Passing
Autorisierung
Punkt
Datenhaltung
Browser
Datenbank
Token-Ring
Login
Computeranimation
Endogene Variable
Message-Passing
Token-Ring
Forcing
Rechter Winkel
Endogene Variable
Protokoll <Datenverarbeitungssystem>
Cookie <Internet>
Server
Randomisierung
Gamecontroller
E-Mail
Bildgebendes Verfahren
Software Engineering
Zeichenkette
Autorisierung
Token-Ring
Kryptologie
Autorisierung
Computersicherheit
Cookie <Internet>
Cookie <Internet>
Content <Internet>
Abfrage
Token-Ring
E-Mail
E-Mail
Computeranimation
Ebene
Subtraktion
Bit
Mathematische Logik
Raum-Zeit
Computeranimation
Metadaten
Message-Passing
Informationsmodellierung
Elektronische Unterschrift
Nichtunterscheidbarkeit
Euler-Diagramm
Inhalt <Mathematik>
E-Mail
Einfach zusammenhängender Raum
Wurm <Informatik>
Ruhmasse
Mailing-Liste
Token-Ring
Kontextbezogenes System
Token-Ring
Rechter Winkel
Offene Menge
Cookie <Internet>
Dateiformat
Information
Message-Passing
Standardabweichung
Autorisierung
Chipkarte
Shape <Informatik>
Computersicherheit
Systemidentifikation
Zahlenbereich
Elektronische Unterschrift
Computeranimation
Chipkarte
Internetworking
Benutzerbeteiligung
Token-Ring
Adressraum
Programmbibliothek
Autorisierung
Kryptologie
Cookie <Internet>
Content <Internet>
Token-Ring
Physikalisches System
Paarvergleich
E-Mail
Quick-Sort
Computeranimation
Systemprogrammierung
Token-Ring
Kryptologie
Reelle Zahl
Vorzeichen <Mathematik>
Autorisierung
Primzahlzwillinge
Nichtunterscheidbarkeit
Cookie <Internet>
Charakteristisches Polynom
E-Mail
Message-Passing
Tabelle <Informatik>
TVD-Verfahren
Bit
Prozess <Physik>
Browser
Formale Sprache
Drehung
Verteilte Programmierung
Login
Computeranimation
Eins
Client
Prozess <Informatik>
Vorzeichen <Mathematik>
Nichtunterscheidbarkeit
E-Mail
ATM
Zentrische Streckung
Datennetz
Datenhaltung
Systemaufruf
Abfrage
Rechnen
Arithmetisches Mittel
Dienst <Informatik>
Konfigurationsverwaltung
Token-Ring
Server
Dateiformat
Schlüsselverwaltung
Message-Passing
Zeichenkette
Public-Key-Kryptosystem
Gewicht <Mathematik>
Mathematisierung
Zahlenbereich
Physikalisches System
Authentifikation
Flächentheorie
Reelle Zahl
Spirale
Endogene Variable
Programmbibliothek
Passwort
Response-Zeit
Speicher <Informatik>
Drei
Autorisierung
Matching <Graphentheorie>
Cookie <Internet>
Programmverifikation
Gemeinsamer Speicher
Token-Ring
Bildanalyse
Physikalisches System
Offene Menge
Cookie <Internet>
Authentifikation
Wort <Informatik>
Computerarchitektur
Umsetzung <Informatik>
Gruppenoperation
Mathematisierung
Versionsverwaltung
Familie <Mathematik>
Implementierung
Kolmogorov-Komplexität
Kartesische Koordinaten
E-Mail
Komplex <Algebra>
Mathematische Logik
Login
Computeranimation
Eins
Metadaten
Informationsmodellierung
Flächentheorie
Endogene Variable
Nichtunterscheidbarkeit
Elektronischer Fingerabdruck
Randomisierung
Passwort
Passwort
Zeitstempel
Drei
Konfigurationsraum
E-Mail
Datenhaltung
Güte der Anpassung
Token-Ring
Physikalisches System
Umsetzung <Informatik>
Token-Ring
Datenfeld
Rechter Winkel
Automatische Indexierung
Hypermedia
Gamecontroller
Authentifikation
Message-Passing
Standardabweichung
Tabelle <Informatik>
Zeichenkette
Dienst <Informatik>
Einheit <Mathematik>
Authentifikation
Modem
Multitasking
Authentifikation
Benutzerbeteiligung
Komplex <Algebra>
Computeranimation
Subtraktion
Punkt
Momentenproblem
Gruppenoperation
Kombinatorische Gruppentheorie
Login
Computeranimation
Informationsmodellierung
Bildschirmmaske
Benutzerbeteiligung
Bereichsschätzung
Prozess <Informatik>
Bildschirmfenster
Programmbibliothek
Vorlesung/Konferenz
Kurvenanpassung
Tropfen
E-Mail
Gerade
Schreib-Lese-Kopf
Beobachtungsstudie
App <Programm>
Kategorie <Mathematik>
Computersicherheit
Systemverwaltung
Abfrage
Nummerung
Token-Ring
Physikalisches System
Elektronische Unterschrift
Entscheidungstheorie
Rechenschieber
Dienst <Informatik>
Caching
Mereologie
Server
Authentifikation
Wort <Informatik>
Information
Schlüsselverwaltung
Fehlermeldung
Variationskoeffizient
Leistung <Physik>

Metadaten

Formale Metadaten

Titel Portable Sessions with JSON Web Tokens
Serientitel RailsConf 2017
Teil 66
Anzahl der Teile 86
Autor Ivy, Lance
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/31270
Herausgeber Confreaks, LLC
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Ever wonder why applications use sessions and APIs use tokens? Must there really be a difference? JSON Web Tokens are an emerging standard for portable secure messages. We'll talk briefly about how they're built and how they earn your trust, then dig into some practical examples you can take back and apply to your own majestic monolith or serious services.

Ähnliche Filme

Loading...