ºÝºÝߣ

ºÝºÝߣShare a Scribd company logo
JWTs - what developers need to know - Dan Moore
¡ñ
¡ñ
¡ñ
¡ð
¡ð
¡ð
¡ð
¡ñ
JWTs - what developers need to know - Dan Moore
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
User API
Todo API
users
todos
User API
users user_roles roles
Todo API
todos
CREATE TABLE todos (
id INT NOT NULL,
text TEXT NOT NULL,
user_id INT NOT NULL,
PRIMARY KEY (id)
);
User API
POST /login
???
User API
POST /login
???
user
42
users
User API
POST /login
User as JSON
user
42
users
{
"user": {
"id": 42,
"name": "Dan Moore",
"email": "dan@fusionauth.io",
"roles": ["admin"]
}
}
user
42 Todo API
GET /todos?user_id=42
JSON todos
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
user
1 Todo API
GET /todos?user_id=1
JSON todos
X Get milk
User API
Todo API
users
todos
user
user
T
T
T
User API
Todo API
users
todos
user
user
T
T
T
GET /token/T User as JSON
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJmdXNpb25hdXRoLmlvIiwiZXhwIjoxN
Tg5MjI3MDA2LCJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkOGV
jZDE5ZDkiLCJzdWIiOiIxOTAxNmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3M
zg2NzciLCJuYW1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfVE9
ET1MiXX0.dlXJ3bdjsN9ivekeYMJdeA5jla6cKqxTkBixijRDpSTdDwwtSX4j0
MdBsQhrYnJqVRdtBAufRC3T5hQpKVPgskP1nfkRqSJx1awZajeinab76HD_mdm
5RwtuXycBgJ9KJt3JPAkyLSpeT-SrWO1h2gLt4pioP8GtSpIZocEXMcKkeOL7-
8KyZAi1VYYQN3aiy0ZkbaKq7_nj2SrMYw4myRaAIYj0Ngamx9DlZrVfmSM4xn6
ZwcvT17y_Ff0VX9T-Z6x9dEIPxhi8EVBDzyclmhaULn_9ALp2oIIIdACqzgoGZ
c2MwC0DED7-IIRt0Qi20H9nfyGavfDs80aGcubVLQ
eyJhbGciOiJSUzI1NiJ9
=
{
"alg": "HS256"
}
eyJpc3MiOiJmdXNpb25hdXRoLmlvIiwiZXhwIjoxNTg5MjI3MDA2LCJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkOGVjZDE5ZDkiLCJzdWI
iOiIxOTAxNmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJuYW1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfVE9ET1MiXX0
=
{
"iss": "fusionauth.io",
"exp": 1589227006,
"aud": "238d4793-70de-4183-9707-48ed8ecd19d9",
"sub": "19016b73-3ffa-4b26-80d8-aa9287738677",
"name": "Dan Moore",
"roles": ["RETRIEVE_TODOS"]
}
dlXJ3bdjsN9ivekeYMJdeA5jla6cKqxTkBixijRDpSTdDwwtSX4j0MdBsQhrYn
JqVRdtBAufRC3T5hQpKVPgskP1nfkRqSJx1awZajeinab76HD_mdm5RwtuXycB
gJ9KJt3JPAkyLSpeT-SrWO1h2gLt4pioP8GtSpIZocEXMcKkeOL7-8KyZAi1VY
YQN3aiy0ZkbaKq7_nj2SrMYw4myRaAIYj0Ngamx9DlZrVfmSM4xn6ZwcvT17y_
Ff0VX9T-Z6x9dEIPxhi8EVBDzyclmhaULn_9ALp2oIIIdACqzgoGZc2MwC0DED
7-IIRt0Qi20H9nfyGavfDs80aGcubVLQ
=
RSA/HMAC/Elliptical Signature
select * from todos where user_id =
¡®19016b73-3ffa-4b26-80d8-aa9287738677¡¯;
¡ñ
¡ñ
eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJmdXNpb25hdXRoLmlvIiwiZXhwIjoxNTg5M
jI3MDA2LCJhdWQiOiIyMzhkNDc5My03MGRlLTQxODMtOTcwNy00OGVkOGVjZDE5ZDk
iLCJzdWIiOiIxOTAxNmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJuY
W1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfVE9ET1MiXX0.dlXJ3bd
jsN9ivekeYMJdeA5jla6cKqxTkBixijRDpSTdDwwtSX4j0MdBsQhrYnJqVRdtBAufR
C3T5hQpKVPgskP1nfkRqSJx1awZajeinab76HD_mdm5RwtuXycBgJ9KJt3JPAkyLSp
eT-SrWO1h2gLt4pioP8GtSpIZocEXMcKkeOL7-8KyZAi1VYYQN3aiy0ZkbaKq7_nj2
SrMYw4myRaAIYj0Ngamx9DlZrVfmSM4xn6ZwcvT17y_Ff0VX9T-Z6x9dEIPxhi8EVB
DzyclmhaULn_9ALp2oIIIdACqzgoGZc2MwC0DED7-IIRt0Qi20H9nfyGavfDs80aGc
ubVLQ
eyJhbGciOiJub25lIn0.eyJpc3MiOiJmdXNpb25hdXRoLmlvIi
wiZXhwIjoxNTg5MjI3NDgwLCJhdWQiOiIyMzhkNDc5My03MGR
lLTQxODMtOTcwNy00OGVkOGVjZDE5ZDkiLCJzdWIiOiIxOTAx
NmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJuY
W1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfVE
9ET1MiXX0.
eyJhbGciOiJSUzI1NiJ9
=
{
"alg": "HS256"
}
eyJhbGciOiJub25lIn0
=
{
"alg": "none"
}
eyJhbGciOiJub25lIn0.eyJpc3MiOiJmdXNpb25hdXRoLmlvI
iwiZXhwIjoxNTg5MjI3NDgwLCJhdWQiOiIyMzhkNDc5My03MG
RlLTQxODMtOTcwNy00OGVkOGVjZDE5ZDkiLCJzdWIiOiIxOTA
xNmI3My0zZmZhLTRiMjYtODBkOC1hYTkyODc3Mzg2NzciLCJu
YW1lIjoiRGFuIE1vb3JlIiwicm9sZXMiOlsiUkVUUklFVkVfV
E9ET1MiXX0.
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
Needs the RSA
Public Key
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
PK
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
J
W
T
GET /api/jwt/keys
{
"publicKey": "-----BEGIN PUBLIC
KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArPvW9SEPuzi2Mg5FTTN8Y
nLr0VOBzvX1O7U9Ee0+8+2Xvv3GeLMxquJ7Ijn
osV0fdoZmqrjXwA++ipqKHuhWk/bnPsjXWijE
/a0q0yTn3f ..."
}
JWTs - what developers need to know - Dan Moore
{
"typ": "JWT",
"alg": "RS256",
"kid": "42"
}
{
"publicKeys": {
"42": "-----BEGIN PUBLIC
KEY-----nMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEArPvW9SEPuzi2Mg5FTTN8Y
nLr0VOBzvX1O7U9Ee0+8+2Xvv3GeLMxquJ7Ijn
osV0fdoZmqrjXwA++ipqKHuhWk/bnPsjXWijE
/a0q0yTn3f ..."
}
}
¡ñ
¡ñ
¡ñ
User API
Todo API
users
todos
user
user
J
W
T
J
W
T
R
T
R
T
JWTs - what developers need to know - Dan Moore
delete from users where user_id = 42;
Oops! No ON DELETE CASCADE
User API
Todo API
users
todos
DELETE
DELETE
DELETE
DELETE
User API
Todo API
users
todos
DELETE DELETE
Event
Webhook
DELETE
¡ñ
/api/logout NOT
User API
Todo API
users
todos
user
user
J
W
TXR
T
R
T
Logout
X
X
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
User API
Todo API
users
todos
user
user
J
W
TXR
T
R
T
Logout
X
X
jwt.refresh-token.revoke event
Webhook
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
JWTs - what developers need to know - Dan Moore
1:12:47 pm
1:42:47 pm
JWTs - what developers need to know - Dan Moore
¡ñ
¡ð
¡ñ
¡ð
¡ð
¡ñ
¡ñ
¡ñ
¡ñ
¡ñ
¡ð
¡ð
¡ð

More Related Content

JWTs - what developers need to know - Dan Moore