4. 1. Why we need authorization
2. The idea of Authorization Server
3. How to implement JWT
- PyJWT
- Django & Flask
4
Agenda
5. About Me
Data Engineer of Throughtek
Currently working with
- IoT -PaaS
- Streaming processing framework
- WebAPI
- Lurking in PyHug, Taipei.py and various Meetups
5
Shuhsi Lin
sucitw@gmail.com
shuhsi_lin@tutk.com
6. I A A
Identity
“Who are you?”
6
Authentication
“OK, how can you prove it?”
Authorization
“What can you do?”
Identity and Access Management (IAM)
17. Token based authentication
● Stateless and scalable servers
● Mobile application ready
● Pass authentication to other applications
● Extra security
17
22. How usually JSON Web Tokens work ?
22
POST login/
user id/password
https://auth0.com/learn/json-web-tokens/
return JWT token
request with Header
Authorization: Bearer <json web token>
create JWT
Check JWT
send responses
23. What do we put in payload
● Reserved : predefined claim
● iss (issuer), exp (expiration time), sub (subject), aud (audience)
● and etc.
● Public:
● name, email, email_verified, and etc.
● http://www.iana.org/assignments/jwt/jwt.xhtml
● Private : custom claims
23
25. 25
In [1]: import json
In [2]: import hmac
In [3]: from hashlib import sha256
In [4]: from base64 import urlsafe_b64encode
In [5]: segments =[]
In [6]: header_dict = {
...: 'typ': 'JWT',
...: 'alg': 'HS256'
...: }
In [7]: json_header = json.dumps(header_dict).encode('utf-8')
In [8]: header = urlsafe_b64encode(json_header)
In [9]: segments.append(header)
In [10]: segments
Out[10]: [b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9']
26. 26
In [11]: payload_dict = {
....: 'user_id':'pythontw2016'
....: }
In [12]: json_payload =json.dumps(payload_dict).encode('utf-8')
In [13]: payload = urlsafe_b64encode(json_payload)
In [14]: segments.append(payload)
In [15]: segments
Out[15]:
[b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9',
b'eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9']
27. 27
In [16]: SECRET = b'secret'
In [17]: signing_input = b'.'.join(segments)
In [18]: sig = hmac.new (SECRET, signing_input, sha256)
In [19]: signature = urlsafe_b64encode(sig.digest())
In [20]: segments.append(signature)
In [21]: segments
Out[21]:
[b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9',
b'eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9',
b'qhevGfl16LBHjRG2wb6xDitbGt3lDK-2iUYCsLseCJY=']
In [22]: token = b'.'.join(segments)
In [23]: token
Out[23]: b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.
eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9.qhevGfl16LBHjRG2wb6xDitbGt3lDK-
2iUYCsLseCJY='
Test this token in https://jwt.io/
36. Authentication with JWT for security purpose
1. User sends login request with credential
2. Auth user on your server (account server)
3. Request for Nonce on Diuit server
4. Obtain nonce from Diuit server
5. Use JWT to request session token
6. Obtain session token from Diuit server
7. Send session token back to messaging client
8. Authenticate messaging client on Diuit server using
"loginWithAuthToken"
JWT
Your own account server
user login
nonce
=>create JWT
{ "typ": "JWT", "alg": "RS256" "cty": "diuit-eit;v=1"
"kid": ${EncryptionKeyId} }
header
{ "iss": ${DIUIT_APP_ID}
"sub": ${UNIQUE_USER_ID}
"iat": ${CURRENT_TIME_IN_ISO8601_FORMAT}
"exp":${SESSION_EXPIRATION_TIME_IN_ISO8601_FORMAT}
"nce": ${AUTHENTICATION_NONCE} }
payload
37. Django REST framework JWT
JSON Web Token Authentication support for Django REST Framework
37