Micro Webservice FrameworkMicro Webservice Framework

Slim Framework Json Web Token JWT

Slim FrameworkMicro Webservice Framework

Welcome

Slim is a PHP micro framework that helps you

quickly write simple yet powerful web applications

and APIs.

At its core, Slim is a dispatcher that receives an

HTTP request, invokes an appropriate callback

routine, and returns an HTTP response. That’s it.

Why use Slim ?

● Restful framework available

● Good document

● Provides this kind of micro framework should have

and nothing more

● Very large following

● Easy to learn

1

Slim FrameworkMicro Webservice Framework

PSR 7 and value objects

The PSR 7 interface provides these methods to

transform Request and Response objects

Dependency Container

Slim uses dependency container to prepare, manage, and inject

application dependencies

2

Middleware

You can run code before and after your Slim application to

manipulate the Request and Response objects as you see fit.

This is called middleware.

Request and Response

When you build a Slim app, you are often working directly

with Request and Response objects.

These objects represent the actual HTTP request

received by the web server and the eventual HTTP

response returned to the clients

Slim FrameworkMicro Webservice Framework

3

Why should you want to do this ?

● Protect your app (XSS)

● Authenticate

● API Logging

Slim FrameworkMicro Service Framework

Request

● Methods: GET, POST, PUT, DELETE, HEAD,

PATCH, OPTIONS

● URI: Host, Port, Path...

● Header: Accept...

● Body content

● Character set, content length

4

Response

● Status: 200, 204, 422, 404, 500…● Header: append, set, detect...● Body: size, content

Json Web TokenMicro Service Framework

What is JSON Web Token ?

● JSON Web Token (JWT) is an open standard

(RFC 7519) that defines a compact and self-

contained

● A way for securely transmitting information

between parties as a JSON object.

● This information can be verified and trusted

because it is digitally signed.

5

When should you use JSON Web Token

● Authentication: once the user is logged in, each

subsequent request will include the JWT

● Information Exchange: JWT are a good way of

securely transmitting information between parties

Json Web TokenMicro Service Framework

Which is the JSON Web Token structure ?

● Header: The header typically consists of two parts: ○ The type of the token (JWT)○ The hashing algorithm (HMAC, SHA256, RSA…)

● Payload: Contains three types of claims○ Reserved: iss (issuer), exp (expiration), sub

(subject)...○ Public: These can be defined at will by those using

JWTs○ Private: Information between parties

● Signature: ○ The encoded header○ The encoded payload○ A secret○ The algorithm and sign 6

Json Web TokenMicro Service Framework

Putting all together

● The output is three Base64 strings separated by dots● The claims body is the best part! It can tell:

7

Json Web TokenMicro Service Framework

How do JSON Web Token work ?

● In Authentication, when the user successfully logs in using his credentials, a JWT will be returned and must be saved locally (local storage, but cookies can be also used)

● In Authorization, whenever the user wants to access a protected route or resource, it should send the JWT, typically in the Authorization header

● This is a stateless authentication mechanism as the user state is never saved in the server memory

● As JWT are self-contained, all the necessary information is there (reducing the need of going back to the database) 8

1

Json Web TokenMicro Service Framework

Why should we use JWT

91

Json Web TokenMicro Service Framework

What we are most concerned about ?

● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our

server

● Stateless: NOT storing any information about our user on the server

● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating

servers)

● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with

forbidden requests

● CSRF (Cross Site Request Forgery): execute unwanted actions

● Compatibility: Mobile and Easy to use for public API

● Transmission: size, local storage, when… ? 10

Json Web TokenMicro Service Framework

Cookies

● Typically very small (4k hard limit)

● Sent with every request to domain

● Cookie specific storage

● Very difficult across domains

● Subject to CSRF attacks

● Less support for mobile, can’t user for external API

requests

● Contains a session id

● Requires a database lookup on every request

● Server-side sessions (requests to hit same server)

● Scaling difficult11

JWT

● Can get larger depending on info stored (8k soft

limit)

● Only sent when necessary

● LocalStorage or SessionStorage

● Works from any domain

● Not subject to CSRF

● Standard for mobile auth, Easy to use for public

API

● Contains verified user information

● No db lookups required

● state is stored on client

● Scales easily

Json Web TokenMicro Service Framework

JWT Things to Remember

● Base64 is NOT secure

● Encrypt sensitive info

● The best claims body (iss, exp, sub, jti, iat…)

● Keep your secret key SECRET

12

Json Web TokenMicro Service Framework

References

● http://jwt.io/introduction/

● https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication

● http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wron

g

● https://stormpath.com/blog/jwt-the-right-way/

● http://www.slideshare.net/stormpath/securing-web-applications-with-token-authentication

● http://www.slimframework.com/docs/

13

Ho Chi Minh City

vdt.hutech@gmail

tuyenvuong.info

facebook.com/tuyendinhvuong

twitter.com/tuyendinhvuong

Micro Webservice Framework (F1) Micro Webservice Framework