SlideShare une entreprise Scribd logo

Micro Web Service - Slim and JWT

Télécharger en tant que PPTX, PDF
Tuyen Vuong
Tuyen Vuong

Micro Web Service - Slim and JWT

Technologie
1  sur  15
Micro Webservice Framework Micro Webservice Framework Slim Framework Json Web Token JWT
Slim Framework Micro Webservice Framework Welcome Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs. At its core, Slim is a dispatcher that receives an HTTP request, invokes an appropriate callback routine, and returns an HTTP response. That’s it. Why use Slim ? ● Restful framework available ● Good document ● Provides this kind of micro framework should have and nothing more ● Very large following ● Easy to learn 1
Slim Framework Micro Webservice Framework PSR 7 and value objects The PSR 7 interface provides these methods to transform Request and Response objects Dependency Container Slim uses dependency container to prepare, manage, and inject application dependencies 2 Middleware You can run code before and after your Slim application to manipulate the Request and Response objects as you see fit. This is called middleware. Request and Response When you build a Slim app, you are often working directly with Request and Response objects. These objects represent the actual HTTP request received by the web server and the eventual HTTP response returned to the clients
Slim Framework Micro Webservice Framework 3 Why should you want to do this ? ● Protect your app (XSS) ● Authenticate ● API Logging
Slim Framework Micro Service Framework Request ● Methods: GET, POST, PUT, DELETE, HEAD, PATCH, OPTIONS ● URI: Host, Port, Path... ● Header: Accept... ● Body content ● Character set, content length 4 Response ● Status: 200, 204, 422, 404, 500… ● Header: append, set, detect... ● Body: size, content
Json Web Token Micro Service Framework What is JSON Web Token ? ● JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained ● A way for securely transmitting information between parties as a JSON object. ● This information can be verified and trusted because it is digitally signed. 5 When should you use JSON Web Token ● Authentication: once the user is logged in, each subsequent request will include the JWT ● Information Exchange: JWT are a good way of securely transmitting information between parties
Json Web Token Micro Service Framework Which is the JSON Web Token structure ? ● Header: The header typically consists of two parts: ○ The type of the token (JWT) ○ The hashing algorithm (HMAC, SHA256, RSA…) ● Payload: Contains three types of claims ○ Reserved: iss (issuer), exp (expiration), sub (subject)... ○ Public: These can be defined at will by those using JWTs ○ Private: Information between parties ● Signature: ○ The encoded header ○ The encoded payload ○ A secret ○ The algorithm and sign 6
Json Web Token Micro Service Framework Putting all together ● The output is three Base64 strings separated by dots ● The claims body is the best part! It can tell: 7
Json Web Token Micro Service Framework How do JSON Web Token work ? ● In Authentication, when the user successfully logs in using his credentials, a JWT will be returned and must be saved locally (local storage, but cookies can be also used) ● In Authorization, whenever the user wants to access a protected route or resource, it should send the JWT, typically in the Authorization header ● This is a stateless authentication mechanism as the user state is never saved in the server memory ● As JWT are self-contained, all the necessary information is there (reducing the need of going back to the database) 8
Json Web Token Micro Service Framework Why should we use JWT 9
Json Web Token Micro Service Framework What we are most concerned about ? ● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our server ● Stateless: NOT storing any information about our user on the server ● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating servers) ● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with forbidden requests ● CSRF (Cross Site Request Forgery): execute unwanted actions ● Compatibility: Mobile and Easy to use for public API ● Transmission: size, local storage, when… ? 10
Json Web Token Micro Service Framework Cookies ● Typically very small (4k hard limit) ● Sent with every request to domain ● Cookie specific storage ● Very difficult across domains ● Subject to CSRF attacks ● Less support for mobile, can’t user for external API requests ● Contains a session id ● Requires a database lookup on every request ● Server-side sessions (requests to hit same server) ● Scaling difficult 11 JWT ● Can get larger depending on info stored (8k soft limit) ● Only sent when necessary ● LocalStorage or SessionStorage ● Works from any domain ● Not subject to CSRF ● Standard for mobile auth, Easy to use for public API ● Contains verified user information ● No db lookups required ● state is stored on client ● Scales easily
Json Web Token Micro Service Framework JWT Things to Remember ● Base64 is NOT secure ● Encrypt sensitive info ● The best claims body (iss, exp, sub, jti, iat…) ● Keep your secret key SECRET 12
Json Web Token Micro Service Framework References ● http://jwt.io/introduction/ ● https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication ● http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wrong ● https://stormpath.com/blog/jwt-the-right-way/ ● http://www.slideshare.net/stormpath/securing-web-applications-with-token-authentication ● http://www.slimframework.com/docs/ 13
Ho Chi Minh City vdt.hutech@gmail tuyenvuong.info facebook.com/tuyendinhvuong twitter.com/tuyendinhvuong Micro Webservice Framework (F1) Micro Webservice Framework

Recommandé

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 

Recommandé

What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?What are JSON Web Tokens and Why Should I Care?
What are JSON Web Tokens and Why Should I Care?Derek Edwards
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongAuthentication: Cookies vs JWTs and why you’re doing it wrong
Authentication: Cookies vs JWTs and why you’re doing it wrongDerek Perkins
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)iMasters
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web TokenDeddy Setyadi
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Json web token
Json web tokenJson web token
Json web tokenMayank Patel
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 
Web 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service WebWeb 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service WebJury Konga
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 

Contenu connexe

Tendances

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensJonathan LeBlanc
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication Micron Technology
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSHüseyin BABAL
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and PracticesPrabath Siriwardena
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2Rodrigo Cândido da Silva
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RSFrank Kim
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Hermann Burgmeier
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache ShiroMarakana Inc.
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Vladimir Dzhuvinov
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldVMware Tanzu
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIStormpath
 

Tendances (20)

Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 
2016 pycontw web api authentication
2016 pycontw web api authentication 2016 pycontw web api authentication
2016 pycontw web api authentication
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
 
API Security : Patterns and Practices
API Security : Patterns and PracticesAPI Security : Patterns and Practices
API Security : Patterns and Practices
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2JavaOne 2014 - Securing RESTful Resources with OAuth2
JavaOne 2014 - Securing RESTful Resources with OAuth2
 
Rest Security with JAX-RS
Rest Security with JAX-RSRest Security with JAX-RS
Rest Security with JAX-RS
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
Mixing OAuth 2.0, Jersey and Guice to Build an Ecosystem of Apps - JavaOne...
 
Json web token
Json web tokenJson web token
Json web token
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
 
Super simple application security with Apache Shiro
Super simple application security with Apache ShiroSuper simple application security with Apache Shiro
Super simple application security with Apache Shiro
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Build A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON APIBuild A Killer Client For Your REST+JSON API
Build A Killer Client For Your REST+JSON API
 

En vedette

Web 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service WebWeb 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service WebJury Konga
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswanivvaswani
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationStormpath
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTGaurav Roy
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reesebuildacloud
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Jak dojść do właściwego modelu zarabiania?
Jak dojść do właściwego modelu zarabiania?Jak dojść do właściwego modelu zarabiania?
Jak dojść do właściwego modelu zarabiania?Asen Gyczew
 

En vedette (9)

Web 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service WebWeb 2.0 - From a Social to a Service Web
Web 2.0 - From a Social to a Service Web
 
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram VaswaniCreating REST Applications with the Slim Micro-Framework by Vikram Vaswani
Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani
 
Securing Web Applications with Token Authentication
Securing Web Applications with Token AuthenticationSecuring Web Applications with Token Authentication
Securing Web Applications with Token Authentication
 
Boas práticas de API Design
Boas práticas de API DesignBoas práticas de API Design
Boas práticas de API Design
 
Git and git flow
Git and git flowGit and git flow
Git and git flow
 
Stateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWTStateless Auth using OAuth2 & JWT
Stateless Auth using OAuth2 & JWT
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reese
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
 
Jak dojść do właściwego modelu zarabiania?
Jak dojść do właściwego modelu zarabiania?Jak dojść do właściwego modelu zarabiania?
Jak dojść do właściwego modelu zarabiania?
 

Similaire à Micro Web Service - Slim and JWT

REST-Api Design & Develop
REST-Api Design & DevelopREST-Api Design & Develop
REST-Api Design & DevelopSabbir Rupom
 
World wide web architecture presentation
World wide web architecture presentationWorld wide web architecture presentation
World wide web architecture presentationImMe Khan
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationWebStackAcademy
 
Сергей Радзыняк ".NET Microservices in Real Life"
Сергей Радзыняк ".NET Microservices in Real Life"Сергей Радзыняк ".NET Microservices in Real Life"
Сергей Радзыняк ".NET Microservices in Real Life"Fwdays
 
Construyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperablesConstruyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperablesOpenDireito
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsPaloSanto Solutions
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'tsMinded Security
 
Game On! Exploring Microservices with a Text-Based Adventure Game
Game On! Exploring Microservices with a Text-Based Adventure GameGame On! Exploring Microservices with a Text-Based Adventure Game
Game On! Exploring Microservices with a Text-Based Adventure GameErin Schnabel
 
Sitecore User Group: Session State and Sitecore xDB
Sitecore User Group: Session State and Sitecore xDB Sitecore User Group: Session State and Sitecore xDB
Sitecore User Group: Session State and Sitecore xDB nonlinear creations
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NETYaniv Uriel
 
Back-End application for Distributed systems
Back-End application for Distributed systemsBack-End application for Distributed systems
Back-End application for Distributed systemsAtif Imam
 
Behind the scenes of Real-Time Notifications
Behind the scenes of Real-Time NotificationsBehind the scenes of Real-Time Notifications
Behind the scenes of Real-Time NotificationsGuillermo Mansilla
 

Similaire à Micro Web Service - Slim and JWT (20)

REST-Api Design & Develop
REST-Api Design & DevelopREST-Api Design & Develop
REST-Api Design & Develop
 
a
aa
a
 
World wide web architecture presentation
World wide web architecture presentationWorld wide web architecture presentation
World wide web architecture presentation
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01
 
Angular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and AuthorizationAngular - Chapter 9 - Authentication and Authorization
Angular - Chapter 9 - Authentication and Authorization
 
Windows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside worldWindows 8 Metro apps and the outside world
Windows 8 Metro apps and the outside world
 
Сергей Радзыняк ".NET Microservices in Real Life"
Сергей Радзыняк ".NET Microservices in Real Life"Сергей Радзыняк ".NET Microservices in Real Life"
Сергей Радзыняк ".NET Microservices in Real Life"
 
Construyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperablesConstruyendo un nuevo ecosistema para comunicaciones interoperables
Construyendo un nuevo ecosistema para comunicaciones interoperables
 
API
APIAPI
API
 
Building a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communicationsBuilding a new ecosystem for interoperable communications
Building a new ecosystem for interoperable communications
 
Microservices Security: dos and don'ts
Microservices Security: dos and don'tsMicroservices Security: dos and don'ts
Microservices Security: dos and don'ts
 
Switch to Backend 2023
Switch to Backend 2023Switch to Backend 2023
Switch to Backend 2023
 
Game On! Exploring Microservices with a Text-Based Adventure Game
Game On! Exploring Microservices with a Text-Based Adventure GameGame On! Exploring Microservices with a Text-Based Adventure Game
Game On! Exploring Microservices with a Text-Based Adventure Game
 
Sitecore User Group: Session State and Sitecore xDB
Sitecore User Group: Session State and Sitecore xDB Sitecore User Group: Session State and Sitecore xDB
Sitecore User Group: Session State and Sitecore xDB
 
Session State and Sitecore xDB
Session State and Sitecore xDBSession State and Sitecore xDB
Session State and Sitecore xDB
 
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
apidays LIVE Australia 2021 - Levelling up database security by thinking in A...
 
AMF Flash and .NET
AMF Flash and .NETAMF Flash and .NET
AMF Flash and .NET
 
Back-End application for Distributed systems
Back-End application for Distributed systemsBack-End application for Distributed systems
Back-End application for Distributed systems
 
Windows 8 Apps and the Outside World
Windows 8 Apps and the Outside WorldWindows 8 Apps and the Outside World
Windows 8 Apps and the Outside World
 
Behind the scenes of Real-Time Notifications
Behind the scenes of Real-Time NotificationsBehind the scenes of Real-Time Notifications
Behind the scenes of Real-Time Notifications
 

Dernier

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 

Dernier (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 

Micro Web Service - Slim and JWT

  • 1. Micro Webservice Framework Micro Webservice Framework Slim Framework Json Web Token JWT
  • 2. Slim Framework Micro Webservice Framework Welcome Slim is a PHP micro framework that helps you quickly write simple yet powerful web applications and APIs. At its core, Slim is a dispatcher that receives an HTTP request, invokes an appropriate callback routine, and returns an HTTP response. That’s it. Why use Slim ? ● Restful framework available ● Good document ● Provides this kind of micro framework should have and nothing more ● Very large following ● Easy to learn 1
  • 3. Slim Framework Micro Webservice Framework PSR 7 and value objects The PSR 7 interface provides these methods to transform Request and Response objects Dependency Container Slim uses dependency container to prepare, manage, and inject application dependencies 2 Middleware You can run code before and after your Slim application to manipulate the Request and Response objects as you see fit. This is called middleware. Request and Response When you build a Slim app, you are often working directly with Request and Response objects. These objects represent the actual HTTP request received by the web server and the eventual HTTP response returned to the clients
  • 4. Slim Framework Micro Webservice Framework 3 Why should you want to do this ? ● Protect your app (XSS) ● Authenticate ● API Logging
  • 5. Slim Framework Micro Service Framework Request ● Methods: GET, POST, PUT, DELETE, HEAD, PATCH, OPTIONS ● URI: Host, Port, Path... ● Header: Accept... ● Body content ● Character set, content length 4 Response ● Status: 200, 204, 422, 404, 500… ● Header: append, set, detect... ● Body: size, content
  • 6. Json Web Token Micro Service Framework What is JSON Web Token ? ● JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained ● A way for securely transmitting information between parties as a JSON object. ● This information can be verified and trusted because it is digitally signed. 5 When should you use JSON Web Token ● Authentication: once the user is logged in, each subsequent request will include the JWT ● Information Exchange: JWT are a good way of securely transmitting information between parties
  • 7. Json Web Token Micro Service Framework Which is the JSON Web Token structure ? ● Header: The header typically consists of two parts: ○ The type of the token (JWT) ○ The hashing algorithm (HMAC, SHA256, RSA…) ● Payload: Contains three types of claims ○ Reserved: iss (issuer), exp (expiration), sub (subject)... ○ Public: These can be defined at will by those using JWTs ○ Private: Information between parties ● Signature: ○ The encoded header ○ The encoded payload ○ A secret ○ The algorithm and sign 6
  • 8. Json Web Token Micro Service Framework Putting all together ● The output is three Base64 strings separated by dots ● The claims body is the best part! It can tell: 7
  • 9. Json Web Token Micro Service Framework How do JSON Web Token work ? ● In Authentication, when the user successfully logs in using his credentials, a JWT will be returned and must be saved locally (local storage, but cookies can be also used) ● In Authorization, whenever the user wants to access a protected route or resource, it should send the JWT, typically in the Authorization header ● This is a stateless authentication mechanism as the user state is never saved in the server memory ● As JWT are self-contained, all the necessary information is there (reducing the need of going back to the database) 8
  • 10. Json Web Token Micro Service Framework Why should we use JWT 9
  • 11. Json Web Token Micro Service Framework What we are most concerned about ? ● Sessions: Every time a user is authenticated, the server will need to create a record somewhere on our server ● Stateless: NOT storing any information about our user on the server ● Scalability: Since sessions are stored in memory, this provides problems with scalability (replicating servers) ● CORS (Cross Origin Resource Sharing): AJAX calls from another domain (mobile devices)...problems with forbidden requests ● CSRF (Cross Site Request Forgery): execute unwanted actions ● Compatibility: Mobile and Easy to use for public API ● Transmission: size, local storage, when… ? 10
  • 12. Json Web Token Micro Service Framework Cookies ● Typically very small (4k hard limit) ● Sent with every request to domain ● Cookie specific storage ● Very difficult across domains ● Subject to CSRF attacks ● Less support for mobile, can’t user for external API requests ● Contains a session id ● Requires a database lookup on every request ● Server-side sessions (requests to hit same server) ● Scaling difficult 11 JWT ● Can get larger depending on info stored (8k soft limit) ● Only sent when necessary ● LocalStorage or SessionStorage ● Works from any domain ● Not subject to CSRF ● Standard for mobile auth, Easy to use for public API ● Contains verified user information ● No db lookups required ● state is stored on client ● Scales easily
  • 13. Json Web Token Micro Service Framework JWT Things to Remember ● Base64 is NOT secure ● Encrypt sensitive info ● The best claims body (iss, exp, sub, jti, iat…) ● Keep your secret key SECRET 12
  • 14. Json Web Token Micro Service Framework References ● http://jwt.io/introduction/ ● https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication ● http://www.slideshare.net/derekperkins/authentication-cookies-vs-jwts-and-why-youre-doing-it-wrong ● https://stormpath.com/blog/jwt-the-right-way/ ● http://www.slideshare.net/stormpath/securing-web-applications-with-token-authentication ● http://www.slimframework.com/docs/ 13
  • 15. Ho Chi Minh City vdt.hutech@gmail tuyenvuong.info facebook.com/tuyendinhvuong twitter.com/tuyendinhvuong Micro Webservice Framework (F1) Micro Webservice Framework