aplicações stateless com php e jwt
TRANSCRIPT
![Page 2: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/2.jpg)
stateless?
![Page 3: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/3.jpg)
![Page 4: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/4.jpg)
statelesstodo request é como se fosse a primeira vez
![Page 5: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/5.jpg)
statelessa aplicação não mantém informações sobre a sessão ativa
![Page 6: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/6.jpg)
statelesso request contém todas as informações necessárias para ser compreendido e processado
![Page 7: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/7.jpg)
statelessquem mantém o estado é o cliente
![Page 8: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/8.jpg)
vantagens
![Page 9: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/9.jpg)
vantagensescalabilidade horizontal
![Page 10: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/10.jpg)
![Page 11: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/11.jpg)
vantagensmenor utilização de recursos computacionais
![Page 12: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/12.jpg)
vantagensarquitetura com design simplificado
![Page 13: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/13.jpg)
vantagensmicroservices friendly
![Page 14: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/14.jpg)
como?
![Page 15: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/15.jpg)
![Page 16: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/16.jpg)
JSON Web Token
![Page 17: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/17.jpg)
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9waHAtand0IiwiYXVkIjoiaHR0cDpcL1wvd3d3LnBocGRmLm9yZy5iclwvIiwianRpIjoiZWRjOWIwMWYtNjE4YS00YTMyLTkyZGYtZGRlMWM0YmRlMDA0IiwiaWF0IjoxNDkxOTY3MzU4LCJuYmYiOjE0OTE5Njc0MTgsImV4cCI6MTQ5MTk3MDk1OCwibmFtZSI6IkJydW5vIE5ldmVzIiwiZW1haWwiOiJicnVub25tQGdtYWlsLmNvbSJ9.O_jGNRVc7STUknGBavZi-dFqYLDkrt9LAB3zOCYRR_8
![Page 18: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/18.jpg)
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9waHAtand0IiwiYXVkIjoiaHR0cDpcL1wvd3d3LnBocGRmLm9yZy5iclwvIiwianRpIjoiZWRjOWIwMWYtNjE4YS00YTMyLTkyZGYtZGRlMWM0YmRlMDA0IiwiaWF0IjoxNDkxOTY3MzU4LCJuYmYiOjE0OTE5Njc0MTgsImV4cCI6MTQ5MTk3MDk1OCwibmFtZSI6IkJydW5vIE5ldmVzIiwiZW1haWwiOiJicnVub25tQGdtYWlsLmNvbSJ9.O_jGNRVc7STUknGBavZi-dFqYLDkrt9LAB3zOCYRR_8
header
payload
signature
![Page 19: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/19.jpg)
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwOlwvXC9waHAtand0IiwiYXVkIjoiaHR0cDpcL1wvd3d3LnBocGRmLm9yZy5iclwvIiwianRpIjoiZWRjOWIwMWYtNjE4YS00YTMyLTkyZGYtZGRlMWM0YmRlMDA0IiwiaWF0IjoxNDkxOTY3MzU4LCJuYmYiOjE0OTE5Njc0MTgsImV4cCI6MTQ5MTk3MDk1OCwibmFtZSI6IkJydW5vIE5ldmVzIiwiZW1haWwiOiJicnVub25tQGdtYWlsLmNvbSJ9.O_jGNRVc7STUknGBavZi-dFqYLDkrt9LAB3zOCYRR_8
header
payload
signature
base64 “url-safe”
![Page 20: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/20.jpg)
{
"typ": "JWT",
"alg": "HS256"
}
header
![Page 21: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/21.jpg)
payload{
"iss": "http://php-jwt",
"aud": "http://www.phpdf.org.br/",
"jti": "edc9b01f-618a-4a32-92df-dde1c4bde004",
"iat": 1491967358,
"nbf": 1491967418,
"exp": 1491970958,
"name": "Bruno Neves",
"email": "[email protected]"
}
![Page 22: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/22.jpg)
signaturebase64UrlEncode(
hash_hmac(
'sha256',
base64UrlEncode($headerJson) . '.' . base64UrlEncode($payloadJson),
'xviphpfc',
true
)
);
![Page 23: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/23.jpg)
signaturebase64UrlEncode(
hash_hmac(
'sha256',
base64UrlEncode($headerJson) . '.' . base64UrlEncode($payloadJson),
'xviphpfc',
true
)
);
JSON Web Signature - RFC 7515
![Page 24: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/24.jpg)
claims
![Page 25: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/25.jpg)
claimsreservados, públicos e privados
![Page 26: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/26.jpg)
reservadosiss emissor (issuer)
sub objetivo (subject)
aud consumidor (audience)
exp expira em (expiration time)
nbf válido a partir de (not before)
iat criado em (issued at)
jti jwt id
todos opcionais
![Page 27: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/27.jpg)
públicossão definidos de acordo com a necessidade
![Page 28: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/28.jpg)
públicosdevem possuir uma padronização que evite a colisão de nomes
![Page 29: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/29.jpg)
públicosdevem ser registrados na IANA
![Page 30: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/30.jpg)
privadosassim como os públicos, são definidos de acordo com a necessidade estabelecida pelo emissor e consumidor
![Page 31: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/31.jpg)
claims, the big pictureinclua as informações necessárias e respeite os claims reservados, para garantir a interoperabilidade do token
![Page 32: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/32.jpg)
utilização
![Page 33: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/33.jpg)
utilizaçãocabeçalho
GET / HTTP/1.1Host: localhostAuthentication: Bearer <token>
![Page 34: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/34.jpg)
utilizaçãoquery string
http://siteseguro.com?bearer=<token>
![Page 35: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/35.jpg)
utilizaçãoou dentro do POST, apesar de ser incomum
![Page 36: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/36.jpg)
por que JWT?
![Page 37: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/37.jpg)
por que JWT?compacto
![Page 38: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/38.jpg)
por que JWT?self-contained
![Page 39: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/39.jpg)
por que JWT?cross-domain
![Page 40: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/40.jpg)
por que JWT?seguro
![Page 41: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/41.jpg)
por que JWT?agnóstico de linguagem
![Page 42: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/42.jpg)
cases
![Page 43: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/43.jpg)
casesautenticação
![Page 44: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/44.jpg)
![Page 45: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/45.jpg)
casesesqueci minha senha
![Page 46: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/46.jpg)
casessingle sign on
![Page 47: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/47.jpg)
casesproteção CSRF
![Page 48: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/48.jpg)
<?php
![Page 49: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/49.jpg)
> composer require lcobucci/jwt
![Page 50: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/50.jpg)
$token = (new Lcobucci\JWT\Builder())
->setIssuer('http://php-jwt')
->setAudience('http://www.phpdf.org.br/')
->setId(Ramsey\Uuid\Uuid::uuid4())
->setIssuedAt(time())
->setNotBefore(time() + 60)
->setExpiration(time() + 3600)
->set('name', 'Bruno Neves')
->set('email', '[email protected]')
->sign(new Lcobucci\JWT\Signer\Hmac\Sha256(), 'xviphpfc')
->getToken();
echo $token;
![Page 51: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/51.jpg)
$token = (new Lcobucci\JWT\Parser())->parse($rawToken);
echo $token->getClaim('name'); // Bruno Neves
$validation = new Lcobucci\JWT\ValidationData();
$validation->setIssuer('http://php-jwt');
$validation->setCurrentTime(time() + 3601);
var_dump($token->validate($validation)); // falso, token expirado
![Page 52: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/52.jpg)
https://github.com/lexik/LexikJWTAuthenticationBundle
![Page 53: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/53.jpg)
https://github.com/tymondesigns/jwt-auth
![Page 54: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/54.jpg)
segurança
![Page 55: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/55.jpg)
![Page 56: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/56.jpg)
segurançabase64 não é criptografia
![Page 57: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/57.jpg)
segurançanão coloque nenhuma informação sensível no token
![Page 58: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/58.jpg)
segurançaa assinatura permite garantir que o token não foi alterado, porém não impede a visualização dos claims
![Page 59: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/59.jpg)
segurançautilize um algoritmo de criptografia recomendado (hmac sha256, rsa256…)https://tools.ietf.org/html/rfc7519#section-8
![Page 60: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/60.jpg)
segurançasempre que o algoritmo for "none", se certifique que o token não contém assinatura antes de processar
![Page 61: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/61.jpg)
segurançaverifique a situação da biblioteca no http://jwt.io
![Page 62: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/62.jpg)
![Page 63: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/63.jpg)
![Page 64: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/64.jpg)
FAQ
![Page 65: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/65.jpg)
logoutapague o token no cliente
![Page 66: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/66.jpg)
invalidaçãoblacklist de tokens válidos (não-expirados) pelo "jti"
![Page 67: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/67.jpg)
dúvidas?
![Page 68: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/68.jpg)
obrigado!
![Page 69: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/69.jpg)
referênciashttps://tools.ietf.org/html/rfc7519https://jwt.iohttps://slideshare.net/lcobucci/jwt-to-authentication-and-beyondhttps://slideshare.net/ivanrosolen/autenticao-com-json-web-token-jwt
![Page 70: Aplicações stateless com PHP e JWT](https://reader031.vdocuments.mx/reader031/viewer/2022012406/58f9ad13760da3da068b94a5/html5/thumbnails/70.jpg)
imagenshttp://nyandabout.com/wp-content/uploads/2016/02/Como-se-fosse-a-primeira-vez.jpghttps://conteudo.imguol.com.br/c/entretenimento/9c/2017/04/06/reproducao-de-uma-pagina-do-manual-do-escoteiro-mirim-com-o-codigo-secreto-marciano-1491480332132_v2_750x421.jpgxhttps://cdn.auth0.com/content/jwt/jwt-diagram.pnghttp://docplayer.com.br/docs-images/24/2864128/images/11-0.png