micro web service - slim and jwt
TRANSCRIPT
Micro Webservice FrameworkMicro Webservice Framework
Slim Framework Json Web Token JWT
Slim FrameworkMicro Webservice Framework
Welcome
Slim is a PHP micro framework that helps you
quickly write simple yet powerful web applications
and APIs.
At its core, Slim is a dispatcher that receives an
HTTP request, invokes an appropriate callback
routine, and returns an HTTP response. That’s it.
Why use Slim ?
● Restful framework available
● Good document
● Provides this kind of micro framework should have
and nothing more
● Very large following
● Easy to learn
1
Slim FrameworkMicro Webservice Framework
PSR 7 and value objects
The PSR 7 interface provides these methods to
transform Request and Response objects
Dependency Container
Slim uses dependency container to prepare, manage, and inject
application dependencies
2
Middleware
You can run code before and after your Slim application to
manipulate the Request and Response objects as you see fit.
This is called middleware.
Request and Response
When you build a Slim app, you are often working directly
with Request and Response objects.
These objects represent the actual HTTP request
received by the web server and the eventual HTTP
response returned to the clients
Slim FrameworkMicro Webservice Framework
3
Why should you want to do this ?
● Protect your app (XSS)
● Authenticate
● API Logging
Slim FrameworkMicro Service Framework
Request
● Methods: GET, POST, PUT, DELETE, HEAD,
PATCH, OPTIONS
● URI: Host, Port, Path...
● Header: Accept...
● Body content
● Character set, content length
4
Response
● Status: 200, 204, 422, 404, 500…● Header: append, set, detect...● Body: size, content
Json Web TokenMicro Service Framework
What is JSON Web Token ?
● JSON Web Token (JWT) is an open standard
(RFC 7519) that defines a compact and self-
contained
● A way for securely transmitting information
between parties as a JSON object.
● This information can be verified and trusted
because it is digitally signed.
5
When should you use JSON Web Token
● Authentication: once the user is logged in, each
subsequent request will include the JWT
● Information Exchange: JWT are a good way of
securely transmitting information between parties
Json Web TokenMicro Service Framework
Which is the JSON Web Token structure ?
● Header: The header typically consists of two parts: ○ The type of the token (JWT)○ The hashing algorithm (HMAC, SHA256, RSA…)
● Payload: Contains three types of claims○ Reserved: iss (issuer), exp (expiration), sub
(subject)...○ Public: These can be defined at will by those using
JWTs○ Private: Information between parties
● Signature: ○ The encoded header○ The encoded payload○ A secret○ The algorithm and sign 6
Json Web TokenMicro Service Framework
Putting all together
● The output is three Base64 strings separated by dots● The claims body is the best part! It can tell:
7
Json Web TokenMicro Service Framework
How do JSON Web Token work ?
● In Authentication, when the user successfully logs in using his credentials, a JWT will be returned and must be saved locally (local storage, but cookies can be also used)
● In Authorization, whenever the user wants to access a protected route or resource, it should send the JWT, typically in the Authorization header
● This is a stateless authentication mechanism as the user state is never saved in the server memory
● As JWT are self-contained, all the necessary information is there (reducing the need of going back to the database) 8
1
Json Web TokenMicro Service Framework
Why should we use JWT
91
Json Web TokenMicro Service Framework
What we are most concerned about ?
● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our
server
● Stateless: NOT storing any information about our user on the server
● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating
servers)
● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with
forbidden requests
● CSRF (Cross Site Request Forgery): execute unwanted actions
● Compatibility: Mobile and Easy to use for public API
● Transmission: size, local storage, when… ? 10
Json Web TokenMicro Service Framework
Cookies
● Typically very small (4k hard limit)
● Sent with every request to domain
● Cookie specific storage
● Very difficult across domains
● Subject to CSRF attacks
● Less support for mobile, can’t user for external API
requests
● Contains a session id
● Requires a database lookup on every request
● Server-side sessions (requests to hit same server)
● Scaling difficult11
JWT
● Can get larger depending on info stored (8k soft
limit)
● Only sent when necessary
● LocalStorage or SessionStorage
● Works from any domain
● Not subject to CSRF
● Standard for mobile auth, Easy to use for public
API
● Contains verified user information
● No db lookups required
● state is stored on client
● Scales easily
Json Web TokenMicro Service Framework
JWT Things to Remember
● Base64 is NOT secure
● Encrypt sensitive info
● The best claims body (iss, exp, sub, jti, iat…)
● Keep your secret key SECRET
12
Json Web TokenMicro Service Framework
References
● http://jwt.io/introduction/
● https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication
● http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wron
g
● https://stormpath.com/blog/jwt-the-right-way/
● http://www.slideshare.net/stormpath/securing-web-applications-with-token-authentication
● http://www.slimframework.com/docs/
13
Ho Chi Minh City
vdt.hutech@gmail
tuyenvuong.info
facebook.com/tuyendinhvuong
twitter.com/tuyendinhvuong
Micro Webservice Framework (F1) Micro Webservice Framework