SlideShare une entreprise Scribd logo

JWT - Sécurisez vos APIs

A
A

Les web-services sont aujourd'hui au centre des SI de nos entreprises. Ils permettent de transmettre l'information entre des systèmes hétérogènes, à la fois au sein de l’entreprise mais également à l'extérieur, notamment et de plus en plus vers des systèmes mobiles. Or exposer cette information, potentiellement critique, pose la question de la sécurisation de ces échanges. Cette présentation sera l'occasion de présenter JWT, d'expliquer son fonctionnement et son implémentation au sein d'un projet Symfony 3.

JWT - Sécurisez vos APIs

1  sur  77
Télécharger pour lire hors ligne
JWT - Sécurisez vos APIs
JWT - Sécurisez vos APIs
JWT - Sécurisez vos APIs
Architecte technique chez
depuis 2011
+5 ans d’expérience sur une quinzaine de
projets Symfony2 de tous types
1
JWT - Sécurisez vos APIs
Publicité

Recommandé

Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 
Utiliser Webpack dans une application Symfony
Utiliser Webpack dans une application SymfonyUtiliser Webpack dans une application Symfony
Utiliser Webpack dans une application SymfonyAlain Hippolyte
 
API Platform 2.1: when Symfony meets ReactJS (Symfony Live 2017)
API Platform 2.1: when Symfony meets ReactJS (Symfony Live 2017)API Platform 2.1: when Symfony meets ReactJS (Symfony Live 2017)
API Platform 2.1: when Symfony meets ReactJS (Symfony Live 2017)Les-Tilleuls.coop
 
Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...Creating a modern web application using Symfony API Platform, ReactJS and Red...
Creating a modern web application using Symfony API Platform, ReactJS and Red...Jesus Manuel Olivas
 
REST APIs in Laravel 101
REST APIs in Laravel 101REST APIs in Laravel 101
REST APIs in Laravel 101Samantha Geitz
 
Laravel 5 Annotations: RESTful API routing
Laravel 5 Annotations: RESTful API routingLaravel 5 Annotations: RESTful API routing
Laravel 5 Annotations: RESTful API routingChristopher Pecoraro
 
Webpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoWebpack Encore Symfony Live 2017 San Francisco
Webpack Encore Symfony Live 2017 San FranciscoRyan Weaver
 

Contenu connexe

Tendances

RESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroRESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroChristopher Pecoraro
 
API Platform: Full Stack Framework Resurrection
API Platform: Full Stack Framework ResurrectionAPI Platform: Full Stack Framework Resurrection
API Platform: Full Stack Framework ResurrectionLes-Tilleuls.coop
 
Creating hypermedia APIs in a few minutes using the API Platform framework
Creating hypermedia APIs in a few minutes using the API Platform frameworkCreating hypermedia APIs in a few minutes using the API Platform framework
Creating hypermedia APIs in a few minutes using the API Platform frameworkLes-Tilleuls.coop
 
Web service with Laravel
Web service with LaravelWeb service with Laravel
Web service with LaravelAbuzer Firdousi
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaAOE
 
170517 damien gérard framework facebook
170517 damien gérard   framework facebook170517 damien gérard   framework facebook
170517 damien gérard framework facebookGeeks Anonymes
 
Symfony tips and tricks
Symfony tips and tricksSymfony tips and tricks
Symfony tips and tricksJavier Eguiluz
 
Playing with parse.com
Playing with parse.comPlaying with parse.com
Playing with parse.comJUG Genova
 
Composable and streamable Play apps
Composable and streamable Play appsComposable and streamable Play apps
Composable and streamable Play appsYevgeniy Brikman
 
Introduction to laravel framework
Introduction to laravel frameworkIntroduction to laravel framework
Introduction to laravel frameworkAhmad Fatoni
 
Web services with laravel
Web services with laravelWeb services with laravel
Web services with laravelConfiz
 
REST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterREST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterSachin G Kulkarni
 
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017The Coolest Symfony Components you’ve never heard of - DrupalCon 2017
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017Ryan Weaver
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreSymfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreRyan Weaver
 
From Ruby to Node.js
From Ruby to Node.jsFrom Ruby to Node.js
From Ruby to Node.jsjubilem
 

Tendances (20)

RESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher PecoraroRESTful API development in Laravel 4 - Christopher Pecoraro
RESTful API development in Laravel 4 - Christopher Pecoraro
 
API Platform: Full Stack Framework Resurrection
API Platform: Full Stack Framework ResurrectionAPI Platform: Full Stack Framework Resurrection
API Platform: Full Stack Framework Resurrection
 
Creating hypermedia APIs in a few minutes using the API Platform framework
Creating hypermedia APIs in a few minutes using the API Platform frameworkCreating hypermedia APIs in a few minutes using the API Platform framework
Creating hypermedia APIs in a few minutes using the API Platform framework
 
Web service with Laravel
Web service with LaravelWeb service with Laravel
Web service with Laravel
 
Laravel 5
Laravel 5Laravel 5
Laravel 5
 
Javascript laravel's friend
Javascript laravel's friendJavascript laravel's friend
Javascript laravel's friend
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
 
Immutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS LambdaImmutable Deployments with AWS CloudFormation and AWS Lambda
Immutable Deployments with AWS CloudFormation and AWS Lambda
 
170517 damien gérard framework facebook
170517 damien gérard   framework facebook170517 damien gérard   framework facebook
170517 damien gérard framework facebook
 
WebGUI Developers Workshop
WebGUI Developers WorkshopWebGUI Developers Workshop
WebGUI Developers Workshop
 
Symfony tips and tricks
Symfony tips and tricksSymfony tips and tricks
Symfony tips and tricks
 
Playing with parse.com
Playing with parse.comPlaying with parse.com
Playing with parse.com
 
Red5 - PHUG Workshops
Red5 - PHUG WorkshopsRed5 - PHUG Workshops
Red5 - PHUG Workshops
 
Composable and streamable Play apps
Composable and streamable Play appsComposable and streamable Play apps
Composable and streamable Play apps
 
Introduction to laravel framework
Introduction to laravel frameworkIntroduction to laravel framework
Introduction to laravel framework
 
Web services with laravel
Web services with laravelWeb services with laravel
Web services with laravel
 
REST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterREST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in Codeigniter
 
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017The Coolest Symfony Components you’ve never heard of - DrupalCon 2017
The Coolest Symfony Components you’ve never heard of - DrupalCon 2017
 
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and moreSymfony Guard Authentication: Fun with API Token, Social Login, JWT and more
Symfony Guard Authentication: Fun with API Token, Social Login, JWT and more
 
From Ruby to Node.js
From Ruby to Node.jsFrom Ruby to Node.js
From Ruby to Node.js
 

En vedette

Introduction to CQRS and Event Sourcing
Introduction to CQRS and Event SourcingIntroduction to CQRS and Event Sourcing
Introduction to CQRS and Event SourcingSamuel ROZE
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016Construire Des Applications Cloud Natives - SymfonyLive Paris 2016
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016Ori Pekelman
 
IoT powered by PHP and streams - PHPExperience2017
IoT powered by PHP and streams - PHPExperience2017IoT powered by PHP and streams - PHPExperience2017
IoT powered by PHP and streams - PHPExperience2017Matheus Marabesi
 
Essay about event driven architecture
Essay about event driven architectureEssay about event driven architecture
Essay about event driven architecturePaulo Victor Gomes
 
CQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationCQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationSamuel ROZE
 
Clean architecture with ddd layering in php
Clean architecture with ddd layering in phpClean architecture with ddd layering in php
Clean architecture with ddd layering in phpLeonardo Proietti
 
OER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformOER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformJan Neumann
 
The 4 Stages Of Learning
The 4 Stages Of LearningThe 4 Stages Of Learning
The 4 Stages Of LearningStu Lunn
 
テキスト1(公開版)
テキスト1(公開版)テキスト1(公開版)
テキスト1(公開版)Yasuji Suda
 
Oferta agregada y demanda agregada
Oferta agregada y demanda agregadaOferta agregada y demanda agregada
Oferta agregada y demanda agregadaKarlabahe1
 
Being an ally to trans
Being an ally to transBeing an ally to trans
Being an ally to transPip Nosegroeg
 
Legalthings e-book
Legalthings e-bookLegalthings e-book
Legalthings e-bookLegalThings
 
Ley de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoLey de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoPrograma Libertas
 
Epidemiology of Preterm Birth
Epidemiology of Preterm BirthEpidemiology of Preterm Birth
Epidemiology of Preterm BirthOzella Brundidge
 

En vedette (19)

Introduction to CQRS and Event Sourcing
Introduction to CQRS and Event SourcingIntroduction to CQRS and Event Sourcing
Introduction to CQRS and Event Sourcing
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016Construire Des Applications Cloud Natives - SymfonyLive Paris 2016
Construire Des Applications Cloud Natives - SymfonyLive Paris 2016
 
IoT powered by PHP and streams - PHPExperience2017
IoT powered by PHP and streams - PHPExperience2017IoT powered by PHP and streams - PHPExperience2017
IoT powered by PHP and streams - PHPExperience2017
 
Essay about event driven architecture
Essay about event driven architectureEssay about event driven architecture
Essay about event driven architecture
 
Présentation de PHP
Présentation de PHPPrésentation de PHP
Présentation de PHP
 
Syntaxe du langage PHP
Syntaxe du langage PHPSyntaxe du langage PHP
Syntaxe du langage PHP
 
Structure de données en PHP
Structure de données en PHPStructure de données en PHP
Structure de données en PHP
 
CQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony applicationCQRS and Event Sourcing in a Symfony application
CQRS and Event Sourcing in a Symfony application
 
Clean architecture with ddd layering in php
Clean architecture with ddd layering in phpClean architecture with ddd layering in php
Clean architecture with ddd layering in php
 
OER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community PlatformOER World Map: Adolescence of a Community Platform
OER World Map: Adolescence of a Community Platform
 
Driving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLoveDriving Member Engagement by Showing #VolunteerLove
Driving Member Engagement by Showing #VolunteerLove
 
The 4 Stages Of Learning
The 4 Stages Of LearningThe 4 Stages Of Learning
The 4 Stages Of Learning
 
テキスト1(公開版)
テキスト1(公開版)テキスト1(公開版)
テキスト1(公開版)
 
Oferta agregada y demanda agregada
Oferta agregada y demanda agregadaOferta agregada y demanda agregada
Oferta agregada y demanda agregada
 
Being an ally to trans
Being an ally to transBeing an ally to trans
Being an ally to trans
 
Legalthings e-book
Legalthings e-bookLegalthings e-book
Legalthings e-book
 
Ley de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estadoLey de sustancias controladas y poder de estado
Ley de sustancias controladas y poder de estado
 
Epidemiology of Preterm Birth
Epidemiology of Preterm BirthEpidemiology of Preterm Birth
Epidemiology of Preterm Birth
 

Similaire à JWT - Sécurisez vos APIs

Sécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web  à l’aide du composant Security de SymfonySécurisation de vos applications web  à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de SymfonyVladyslav Riabchenko
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationErick Belluci Tedeschi
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworksKen Yee
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceFelipe Prado
 
API Days Australia - Automatic Testing of (RESTful) API Documentation
API Days Australia  - Automatic Testing of (RESTful) API DocumentationAPI Days Australia  - Automatic Testing of (RESTful) API Documentation
API Days Australia - Automatic Testing of (RESTful) API DocumentationRouven Weßling
 
API Days Paris - Automatic Testing of (RESTful) API Documentation
API Days Paris - Automatic Testing of (RESTful) API DocumentationAPI Days Paris - Automatic Testing of (RESTful) API Documentation
API Days Paris - Automatic Testing of (RESTful) API DocumentationRouven Weßling
 
Sécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de SymfonySécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de SymfonyVladyslav Riabchenko
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFEPrabath Siriwardena
 
REST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsREST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsyoranbe
 
Nordic APIs - Automatic Testing of (RESTful) API Documentation
Nordic APIs - Automatic Testing of (RESTful) API DocumentationNordic APIs - Automatic Testing of (RESTful) API Documentation
Nordic APIs - Automatic Testing of (RESTful) API DocumentationRouven Weßling
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIISylvain Maret
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Yandex
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign Onleastprivilege
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and LibraryKenji Otsuka
 
Phpne august-2012-symfony-components-friends
Phpne august-2012-symfony-components-friendsPhpne august-2012-symfony-components-friends
Phpne august-2012-symfony-components-friendsMichael Peacock
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applicationsSatish b
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2scotttomilson
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentationowaspsd
 
Lets have some fun with twilio open tok
Lets have some fun with   twilio open tokLets have some fun with   twilio open tok
Lets have some fun with twilio open tokmirahman
 

Similaire à JWT - Sécurisez vos APIs (20)

Sécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web  à l’aide du composant Security de SymfonySécurisation de vos applications web  à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de Symfony
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs AuthorizationRoadSec 2017 - Trilha AppSec - APIs Authorization
RoadSec 2017 - Trilha AppSec - APIs Authorization
 
Kotlin server side frameworks
Kotlin server side frameworksKotlin server side frameworks
Kotlin server side frameworks
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
API Days Australia - Automatic Testing of (RESTful) API Documentation
API Days Australia  - Automatic Testing of (RESTful) API DocumentationAPI Days Australia  - Automatic Testing of (RESTful) API Documentation
API Days Australia - Automatic Testing of (RESTful) API Documentation
 
API Days Paris - Automatic Testing of (RESTful) API Documentation
API Days Paris - Automatic Testing of (RESTful) API DocumentationAPI Days Paris - Automatic Testing of (RESTful) API Documentation
API Days Paris - Automatic Testing of (RESTful) API Documentation
 
Sécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de SymfonySécurisation de vos applications web à l’aide du composant Security de Symfony
Sécurisation de vos applications web à l’aide du composant Security de Symfony
 
Cloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFECloud Native Identity with SPIFFE
Cloud Native Identity with SPIFFE
 
REST APIs in the context of single-page applications
REST APIs in the context of single-page applicationsREST APIs in the context of single-page applications
REST APIs in the context of single-page applications
 
Nordic APIs - Automatic Testing of (RESTful) API Documentation
Nordic APIs - Automatic Testing of (RESTful) API DocumentationNordic APIs - Automatic Testing of (RESTful) API Documentation
Nordic APIs - Automatic Testing of (RESTful) API Documentation
 
Strong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS IIIStrong Authentication in Web Application #SCS III
Strong Authentication in Web Application #SCS III
 
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
Обмен учетными данными между iOS 8 приложениями и вебом, Константин Чернухо, ...
 
Designing JavaScript APIs
Designing JavaScript APIsDesigning JavaScript APIs
Designing JavaScript APIs
 
ASP.NET Single Sign On
ASP.NET Single Sign OnASP.NET Single Sign On
ASP.NET Single Sign On
 
OAuth 2.0 and Library
OAuth 2.0 and LibraryOAuth 2.0 and Library
OAuth 2.0 and Library
 
Phpne august-2012-symfony-components-friends
Phpne august-2012-symfony-components-friendsPhpne august-2012-symfony-components-friends
Phpne august-2012-symfony-components-friends
 
Pentesting web applications
Pentesting web applicationsPentesting web applications
Pentesting web applications
 
CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2CIS 2012 - Going Mobile with PingFederate and OAuth 2
CIS 2012 - Going Mobile with PingFederate and OAuth 2
 
OWASP San Diego Training Presentation
OWASP San Diego Training PresentationOWASP San Diego Training Presentation
OWASP San Diego Training Presentation
 
Lets have some fun with twilio open tok
Lets have some fun with   twilio open tokLets have some fun with   twilio open tok
Lets have some fun with twilio open tok
 

Dernier

DAY 05 Book of Revelation 2-18-24 PPT.pptx
DAY 05 Book of Revelation 2-18-24 PPT.pptxDAY 05 Book of Revelation 2-18-24 PPT.pptx
DAY 05 Book of Revelation 2-18-24 PPT.pptxFamilyWorshipCenterD
 
Partnerships for Resilient Prosperity in the Caribbean
Partnerships for Resilient Prosperity in the CaribbeanPartnerships for Resilient Prosperity in the Caribbean
Partnerships for Resilient Prosperity in the CaribbeanCaribbean Development Bank
 
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptx
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptxForklift Telehandler ONLY Operator Training Revised_7.6.2022.pptx
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptxbriancriswell1979
 
AWS RDS Data API and CloudTrail. Who drop the table_.pdf
AWS RDS Data API and CloudTrail. Who drop the table_.pdfAWS RDS Data API and CloudTrail. Who drop the table_.pdf
AWS RDS Data API and CloudTrail. Who drop the table_.pdfVladimir Samoylov
 
Supporting Resilient Prosperity in the Caribbean
Supporting Resilient Prosperity in the CaribbeanSupporting Resilient Prosperity in the Caribbean
Supporting Resilient Prosperity in the CaribbeanCaribbean Development Bank
 
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptxNinia
 
Present and Future Requisites for Prosperity in the Caribbean
Present and Future Requisites for Prosperity in the CaribbeanPresent and Future Requisites for Prosperity in the Caribbean
Present and Future Requisites for Prosperity in the CaribbeanCaribbean Development Bank
 
Space expansion: cultural considerations, long term perspectives, and spiritu...
Space expansion: cultural considerations, long term perspectives, and spiritu...Space expansion: cultural considerations, long term perspectives, and spiritu...
Space expansion: cultural considerations, long term perspectives, and spiritu...Giulio Prisco
 
"SACRED WAY" Athens - VENUE- presentation
"SACRED WAY" Athens - VENUE- presentation"SACRED WAY" Athens - VENUE- presentation
"SACRED WAY" Athens - VENUE- presentationVicky Evangeliou
 
Scaling up renewable energy investments in West Africa
Scaling up renewable energy investments in West AfricaScaling up renewable energy investments in West Africa
Scaling up renewable energy investments in West AfricaFrancois Stepman
 
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptx
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptxONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptx
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptxDivyaPatel621561
 
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...West Africa Scene Setting African Continental Master Plan (CMP) for electrici...
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...Francois Stepman
 
KKrish - DOVE Leadership Program Concept
KKrish - DOVE Leadership Program ConceptKKrish - DOVE Leadership Program Concept
KKrish - DOVE Leadership Program ConceptKarthik Krishna
 
Ammunition and it's types and use in forensic ballistics
Ammunition and it's types and use in forensic ballisticsAmmunition and it's types and use in forensic ballistics
Ammunition and it's types and use in forensic ballisticsshubhamdwivedi7521
 

Dernier (15)

DAY 05 Book of Revelation 2-18-24 PPT.pptx
DAY 05 Book of Revelation 2-18-24 PPT.pptxDAY 05 Book of Revelation 2-18-24 PPT.pptx
DAY 05 Book of Revelation 2-18-24 PPT.pptx
 
Partnerships for Resilient Prosperity in the Caribbean
Partnerships for Resilient Prosperity in the CaribbeanPartnerships for Resilient Prosperity in the Caribbean
Partnerships for Resilient Prosperity in the Caribbean
 
An Inviting Church
An Inviting ChurchAn Inviting Church
An Inviting Church
 
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptx
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptxForklift Telehandler ONLY Operator Training Revised_7.6.2022.pptx
Forklift Telehandler ONLY Operator Training Revised_7.6.2022.pptx
 
AWS RDS Data API and CloudTrail. Who drop the table_.pdf
AWS RDS Data API and CloudTrail. Who drop the table_.pdfAWS RDS Data API and CloudTrail. Who drop the table_.pdf
AWS RDS Data API and CloudTrail. Who drop the table_.pdf
 
Supporting Resilient Prosperity in the Caribbean
Supporting Resilient Prosperity in the CaribbeanSupporting Resilient Prosperity in the Caribbean
Supporting Resilient Prosperity in the Caribbean
 
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx
1.2 Ingredients Used for Sandwiches 1.3 Culinary Terms.pptx
 
Present and Future Requisites for Prosperity in the Caribbean
Present and Future Requisites for Prosperity in the CaribbeanPresent and Future Requisites for Prosperity in the Caribbean
Present and Future Requisites for Prosperity in the Caribbean
 
Space expansion: cultural considerations, long term perspectives, and spiritu...
Space expansion: cultural considerations, long term perspectives, and spiritu...Space expansion: cultural considerations, long term perspectives, and spiritu...
Space expansion: cultural considerations, long term perspectives, and spiritu...
 
"SACRED WAY" Athens - VENUE- presentation
"SACRED WAY" Athens - VENUE- presentation"SACRED WAY" Athens - VENUE- presentation
"SACRED WAY" Athens - VENUE- presentation
 
Scaling up renewable energy investments in West Africa
Scaling up renewable energy investments in West AfricaScaling up renewable energy investments in West Africa
Scaling up renewable energy investments in West Africa
 
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptx
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptxONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptx
ONLINE RESORT BOOKING SYSTEM WEBSITE 1.pptx
 
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...West Africa Scene Setting African Continental Master Plan (CMP) for electrici...
West Africa Scene Setting African Continental Master Plan (CMP) for electrici...
 
KKrish - DOVE Leadership Program Concept
KKrish - DOVE Leadership Program ConceptKKrish - DOVE Leadership Program Concept
KKrish - DOVE Leadership Program Concept
 
Ammunition and it's types and use in forensic ballistics
Ammunition and it's types and use in forensic ballisticsAmmunition and it's types and use in forensic ballistics
Ammunition and it's types and use in forensic ballistics
 

JWT - Sécurisez vos APIs

  • 4. Architecte technique chez depuis 2011 +5 ans d’expérience sur une quinzaine de projets Symfony2 de tous types
  • 5. 1
  • 7. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information
  • 8. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information Edition Ajout Suppression
  • 11. CRUCIAL de veiller à une sécurité accrue de chaque API
  • 12. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information  est normalement stateless  Pas de session  Appel isolé
  • 13. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information  est normalement stateless  Pas de session  Appel isolé
  • 14. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information  est normalement stateless  Pas de session  Appel isolé  Authentification à chaque appel
  • 15. Une API Web :  expose de l’information potentiellement critique  permet de manipuler cette information  est normalement stateless  doit être utilisée en HTTPS
  • 17.  Authentification basée sur la session
  • 18. Inconvénients  CORS (Cross-origin resource sharing)  Évolutivité
  • 19.  Authentification basée sur les clefs d’API Pas de session
  • 20.  Authentification basée sur les clefs d’API Pas de session Gestion des clefs en bdd 1 andre … z654df84sSdDLfs3 2 amine … Ohg2v5x6df2fFspoa1fdffds8 3 antoine … khHp5se8w2xf1t9823tz3
  • 21.  Authentification basée sur les clefs d’API Pas de session Gestion des clefs en bdd Pas de mécanisme d’expiration
  • 22.  Authentification basée sur les clefs d’API Pas de session Gestion des clefs en bdd Pas de mécanisme d’expiration Token non exploitable
  • 23. Solution idéale :  Stateless  Gestion de l’expiration  Auto-porteuse et sécurisée
  • 24. 2
  • 26.  Standard industriel qui repose sur une RFC (7519)  Permet de fournir un mécanisme d’authentification fiable  Repose sur un token qui va contenir les données  Token sécurisé o JWS (RFC 7515) o JWE (RFC 7516)  Fournit un système d’expiration
  • 31.  Liste des propriétés réservées : Nom: sub Description: Subject Nom: exp Description: Expiration Time Nom: nbf Description: Not Before Nom: aud Description: Audience Nom: iss Description: Issuer Nom: iat Description: Issued At Nom: jti Description: JWT ID
  • 33. JOSE : Javascript Object Signing and Encryption HMAC + SHA RSA + SHA ECDSA + SHA
  • 35.  Implémentation disponible pour la grande majorité des langages de développement
  • 38. Etape 1 :  L’utilisateur va s’authentifier sur l’API  En cas d’authentification réussie, le serveur génère et renvoie un token JWT à l’application
  • 39. Etape 2 à N :  L’application transmet le token JWT pour chaque transaction suivante en header des requêtes
  • 41. Quelle durée choisir ?  Pas de durée type  En moyenne : entre 5 min et 1 heure  Délai expiré :
  • 45. 3
  • 47. namespace SymfonyComponentSecurityGuard; abstract class AbstractGuardAuthenticator { public function createAuthenticatedToken(UserInterface $user, $providerKey); }
  • 48. namespace SymfonyComponentSecurityGuard; abstract class AbstractGuardAuthenticator implements GuardAuthenticatorInterface { public function createAuthenticatedToken(UserInterface $user, $providerKey); }
  • 49. namespace SymfonyComponentSecurityGuard; interface GuardAuthenticatorInterface { public function getCredentials(Request $request); public function getUser($credentials, UserProviderInterface $userProvider); public function checkCredentials($credentials, UserInterface $user); public function createAuthenticatedToken(UserInterface $user, $providerKey); public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey); public function onAuthenticationFailure(Request $request, AuthenticationException $exception); public function supportsRememberMe(); }
  • 50. namespace SymfonyComponentSecurityGuard; interface GuardAuthenticatorInterface extends AuthenticationEntryPointInterface { public function getCredentials(Request $request); public function getUser($credentials, UserProviderInterface $userProvider); public function checkCredentials($credentials, UserInterface $user); public function createAuthenticatedToken(UserInterface $user, $providerKey); public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey); public function onAuthenticationFailure(Request $request, AuthenticationException $exception); public function supportsRememberMe(); }
  • 51. namespace SymfonyComponentSecurityHttpEntryPoint; interface AuthenticationEntryPointInterface { public function start(Request $request, AuthenticationException $authException = null); }
  • 54. #app/config/security.yml security: firewalls: login: pattern: ^/api/login stateless: true anonymous: true provider: in_memory form_login: check_path: /api/login_check success_handler: webnet_authentication.handler.authentication_success failure_handler: webnet_authentication.handler.authentication_failure require_previous_session: false use_referer: true access_control: - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
  • 55. # app/config/service.yml services: webnet_authentication.handler.authentication_success: class: AppBundleSecurityAuthenticationSuccessHandler arguments: [] webnet_authentication.handler.authentication_failure: class: AppBundleSecurityAuthenticationFailureHandler arguments: []
  • 57. /** * Class AuthenticationFailureHandler * * @package AppBundleSecurity */ class AuthenticationFailureHandler implements AuthenticationFailureHandlerInterface { /** * {@inheritdoc} */ public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $data = array( 'message' => strtr($exception->getMessageKey(), $exception->getMessageData()) ); return new JsonResponse($data, Response::HTTP_FORBIDDEN); } }
  • 59. /** * Class AuthenticationSuccessHandler * * @package AppBundleSecurity */ class AuthenticationSuccessHandler implements AuthenticationSuccessHandlerInterface { /** * @inheritdoc */ public function onAuthenticationSuccess(Request $request, TokenInterface $token) { return $this->handleAuthenticationSuccess($token->getUser()); } }
  • 62. /** * Class AuthenticationSuccessHandler * @package AppBundleSecurity */ class AuthenticationSuccessHandler implements AuthenticationSuccessHandlerInterface { const SSL_KEY_PASSPHRASE = 'tests'; public function onAuthenticationSuccess(Request $request, TokenInterface $token) { return $this->handleAuthenticationSuccess($token->getUser()); } public function handleAuthenticationSuccess(UserInterface $user) { $jws = new SimpleJWS(array('alg' => 'RS256')); $jws->setPayload(array('sub' => $user->getUsername(), 'exp' => time() + 3600)); $privateKey = openssl_pkey_get_private("file://path_to_private.key", self::SSL_KEY_PASSPHRASE); $jws->sign($privateKey); return new JsonResponse(array('token' => $jws->getTokenString())); } }
  • 66. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { }
  • 67. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function getCredentials(Request $request) { if (!$tokenValue = $request->headers->get('Authorization')) { // no token? Return null and no other methods will be called return; } $token = explode(' ', $tokenValue); try { return ['token' => SimpleJWS::load($token[1])]; } catch (Exception $e) { return; } } }
  • 68. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function start(Request $request, AuthenticationException $authException = null) { $data = array('message' => 'Authentication Required'); return new JsonResponse($data, Response::HTTP_UNAUTHORIZED); } }
  • 69. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function getCredentials(Request $request) { if (!$tokenValue = $request->headers->get('Authorization')) { // no token? Return null and no other methods will be called return; } $token = explode(' ', $tokenValue); try { return ['token' => SimpleJWS::load($token[1])]; } catch (Exception $e) { return; } } }
  • 70. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function getUser($credentials, UserProviderInterface $userProvider) { $payload = $credentials['token']->getPayload(); if (!isset($payload['sub']) || !$payload['sub']) { return; } return $userProvider->loadUserByUsername($payload['sub']); } }
  • 71. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function checkCredentials($credentials, UserInterface $user) { $publicKey = openssl_pkey_get_public("file://path_to_public.key"); // verify that the token is valid (exp) and had the same values return $credentials['token']->isValid($publicKey, 'RS256'); } }
  • 72. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { /** * @inheritdoc */ public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { // on success, let the request continue return null; } /** * @inheritdoc */ public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $data = array( 'message' => strtr($exception->getMessageKey(), $exception->getMessageData()) ); return new JsonResponse($data, Response::HTTP_FORBIDDEN); } }
  • 73. /** * Class WebnetAuthenticator * * @package AppBundleSecurity */ class WebnetAuthenticator extends AbstractGuardAuthenticator { public function supportsRememberMe() { return false; } }
  • 75. « There’s a bundle for that ! » o lexik/LexikJWTAuthenticationBundle o gesdinet/JWTRefreshTokenBundle (refresh token)
  • 77.