![Page 1: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/1.jpg)
JSON WEB TOKEN
![Page 2: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/2.jpg)
Ivan RosolenGraduado em Sistemas de InformaçãoPós-graduado em Gerência de Projetos
Desenvolvedor a 15+ anosAutor de vários PHPT (testes para o PHP)
Entusiasta de novas tecnologias
Head of Innovation @ Arizona
CTO @ Mokation
![Page 3: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/3.jpg)
@ivanrosolen
![Page 4: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/4.jpg)
Authentication
![Page 5: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/5.jpg)
- Form Request Post/Get
- OAuth
- Key/Hash
- Credenciais em plain text
- Session Cookies
![Page 6: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/6.jpg)
- Data is stored in plain text on the server
- Filesystem read/write requests
- Distributed/clustered applications
- Redis/Sticky sessions
![Page 7: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/7.jpg)
API
![Page 8: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/8.jpg)
- Stateless authentication (simplifies horizontal scaling)
- Prevent (mitigate) Cross-Site Request Forgery (CSRF)
attacks.
- Security (https)
- Authorization: Bearer
![Page 9: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/9.jpg)
- Authentication vs. Authorization
- 401 unauthorized / 403 forbidden
- JWT != ACL
![Page 10: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/10.jpg)
JOSE
![Page 11: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/11.jpg)
- JWT
- JWS
- JWA
- JWK
- JWE
JSON Object Signing and Encryption
![Page 12: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/12.jpg)
Advantages
![Page 13: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/13.jpg)
- JSON Web Tokens work across different programming languages
- JWTs are self-contained
- JWTs can be passed around easily and secure
- Better control like “one time token” to forgot password, confirm
user, request rates, access, etc.
- One token to rule them all (Stateless)
![Page 14: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/14.jpg)
Anatomy
![Page 15: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/15.jpg)
header.claims.signature
![Page 16: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/16.jpg)
Header
{
"typ": "JWT",
"alg": "HS256"
}
![Page 17: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/17.jpg)
Claims- iss: The issuer of the token
- sub: The subject of the token
- aud: The audience of the token
- exp: This will probably be the registered claim most often used. This will define the expiration
in NumericDate value. The expiration MUST be after the current date/time.
- nbf: Defines the time before which the JWT MUST NOT be accepted for processing
- iat: The time the JWT was issued. Can be used to determine the age of the JWT
- jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is
helpful for a one time use token.
http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
![Page 18: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/18.jpg)
Payload / Claims{
"iss": "ivanrosolen.com",
"exp": 1300819380,
"name": "Ivan Rosolen",
"admin": true
}
![Page 19: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/19.jpg)
JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=.eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwMDgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI6IHRydWV9.
![Page 20: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/20.jpg)
JWS
- header
- claims
payload
base64(header) . base64(claims)
![Page 21: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/21.jpg)
JWA
- secret (hmac sha256, rsa256 ....)
- encrypt payload with key ‘Xuplau’
![Page 22: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/22.jpg)
Signature
var encodedString = base64UrlEncode(header) + "."
+ base64UrlEncode(payload);
HMACSHA256(encodedString, 'Xuplau');
![Page 23: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/23.jpg)
JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=.eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwMDgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI6IHRydWV9.M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMTY3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==
![Page 24: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/24.jpg)
Screencast
Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos.
https://www.youtube.com/watch?v=k3KfK0ZS_FY
![Page 25: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/25.jpg)
Warning!
![Page 26: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/26.jpg)
Code
![Page 27: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/27.jpg)
![Page 28: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/28.jpg)
![Page 29: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/29.jpg)
Github
- Session
- JWT
- JOSE
![Page 30: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/30.jpg)
Refs
![Page 31: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/31.jpg)
Githubhttps://github.com/ivanrosolen/crud-demo
JWThttps://github.com/dwyl/learn-json-web-tokenshttp://jwt.iohttps://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.htmlhttp://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication
Talkshttp://www.slideshare.net/erickt86/secureapihttp://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
Luís Otávio Cobucci Oblonczykhttps://github.com/lcobucci/jwthttps://github.com/Ocramius/PSR7Session
![Page 32: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/32.jpg)
????
![Page 33: PHP Experience 2016 - [Palestra] Json Web Token (JWT)](https://reader034.vdocuments.mx/reader034/viewer/2022051122/5876bf071a28ab6d5a8b474d/html5/thumbnails/33.jpg)
OBRIGADO!
Visite phpsp.org.br
https://joind.in/talk/05eb0