token based authentication systems
TRANSCRIPT
Restful Authentication
System with AngularJS &
NodeJS
Hüseyin BABAL
Full Stack DeveloperPHP, JAVA, NodeJS developer.
Building highly scalable, realtime systems.
Web Development mentor.
Entrepreneur.
NodeJS trainer.
GDG conference speaker
@huseyinb
abal
@huseyinba
bal
http://huseyinbab
al.net
http://app.yoursite.comhttp://app.yoursite.com
POST /signin
username=.....&password=......
HTTP 200
Set-Cookie: session=.......
POST /user/me
Cookie: session=.......
HTTP 200
{name: john, surname: doe, …..}
Boss: I want native mobile and desktop version
of our current web application
Developer: We need to develop new services
for specific clients.
Boss: What about cost? You need to find
another solution better
Developer: ???
Andr
oid
Window
s 8
iOS
Desktop
App
My App I need to develop client
independent system...
http://api.yoursite.comhttp://app.yoursite.com
POST /signin
username=.....&password=......
HTTP 200
token: JWT (Bearer Token)
POST /user/me
Authorization: Bearer JWT(Bearer
Token)HTTP 200
{name: john, surname: doe, …..}
Wait! What is
Bearer Token?
JWT
Powerful token format used in HTTP headers in
order to make some endpoint secure.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz
dWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huI
ERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfx
UZXiPs3f8FmJDkDE_VCQFXqKxpLsts
JWT
header payload signatur
eb64({
typ: ‘JWT’,
alg: ‘HS256’
})
HMACSHA256(b64(
header) + “.” +
b64(payload),
secret_key)
b64({
name:
“John”,
id:
“123456”,
role:
“admin”
})
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5h
bWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8Fm
JDkDE_VCQFXqKxpLsts
Libraries
Language Library Url
PHP https://github.com/firebase/php-jwt
.NET https://github.com/AzureAD/azure-
activedirectory-identitymodel-extensions-
for-dotnet
Ruby https://github.com/progrium/ruby-jwt
NodeJS https://github.com/auth0/node-
jsonwebtoken
Java https://github.com/auth0/java-jwt
Python https://github.com/progrium/pyjwt/
Architectur
eTime
http://api.yoursite.
com
Mongo
DB
http://app.yoursite.com
POST /signin
username=.....&password=......
HTTP 200
token: JWT (Bearer Token)
POST /user/me
Authorization: Bearer JWT(Bearer
Token)HTTP 200
{name: john, surname: doe, …..}
Check Username and Password, create
token if valid, add to DB
Check token from db whenever a
request comehttp://t1.yoursite.
com
http://tn.yoursite.c
om
……..
(Load
balancer)
Advantages
Client independent
CDN
Zero Coupling
No cookie(session), no csrf
Persistent token store
Available for other languages (JWT token)
Thank youThank you!