Authentication

with JSON Web Tokens

2016. 06. 04 pyconTW

Shuhsi Lin

Data Engineer of Throughtek

JSON Web Tokens

2

JWT

“jot”

3

1. Why we need authorization

2. The idea of Authorization Server

3. How to implement JWT

- PyJWT

- Django & Flask

4

Agenda

About Me

Data Engineer of Throughtek

Currently working with- IoT -PaaS- Streaming processing framework- WebAPI

- Lurking in PyHug, Taipei.py and various Meetups

5

Shuhsi Linsucitw@gmail.com

shuhsi_lin@tutk.com

I A AIdentity “Who are you?”

6

Authentication“OK, how can you prove it?”

Authorization“What can you do?”

Identity and Access Management (IAM)

Copyright © 2016 ThroughTek Co., Ltd. All rights reserved. Confidential. Do not distribute. 7

• Generic applications

• Customization service

• Kalay Kit

• FW integration

micro-service system

Turnkey Solution for Rapid IoT DeploymentKalay Platform

What is Kalay?

9

Copyright © 2016 ThroughTek Co., Ltd. All rights reserved. Confidential. Do not distribute. 10 10

“Handshake” in the language

of the aboriginal Tao people of Taiwan

Connecting All Devices

Copyright © 2016 ThroughTek Co., Ltd. All rights reserved. Confidential. Do not distribute. 11

User Account• Define multiple user types • Manage and control user permission• Monitor login status and activity

UID & Device• Real time log analysis• Track connection status, IP, region• Monitor and backup log data

Why we need Identity Management(Device and User Account)

A server has to know

who is requesting the resource

12

How has authentication been done in web?

13

● Server based● Token based

Server based authentication

14

user id/password

Problems from Server based authentication

● Sessions

● Scalability

● Cross-Origin Resource Sharing (CORS)

● Cross-Site Request Forgery (CSRF)

15

Token based authentication

16

user id/password

Stateless

Token based authentication

● Stateless and scalable servers● Mobile application ready● Pass authentication to other applications● Extra security

17

18

https://jwt.io/

2,506 6,120

https://github.com/search?q=jwthttp://stackoverflow.com/search?q=jwt

● Compact and Self-contained

● Across different programming languages

● Passed around easily

JWT looks like?

19

Three strings separated by “.”

aaaaaaaaa.bbbbbbbbb.cccccccccccheader payload signature

20

https://jwt.io/#debugger-io

don’t put sensitive data here

How usually JSON Web Tokens work ?

21

How usually JSON Web Tokens work ?

22

POST login/user id/password

https://auth0.com/learn/json-web-tokens/

return JWT token

request with HeaderAuthorization: Bearer <json web token>

create JWT

Check JWTsend responses

What do we put in payload

● Reserved : predefined claim● iss (issuer), exp (expiration time), sub (subject), aud (audience) ● and etc.

● Public: ● name, email, email_verified, and etc.● http://www.iana.org/assignments/jwt/jwt.xhtml

● Private : custom claims

23

How to implement it in python ?

24

25

In [1]: import jsonIn [2]: import hmacIn [3]: from hashlib import sha256In [4]: from base64 import urlsafe_b64encode

In [5]: segments =[]In [6]: header_dict = { ...: 'typ': 'JWT', ...: 'alg': 'HS256' ...: }In [7]: json_header = json.dumps(header_dict).encode('utf-8')In [8]: header = urlsafe_b64encode(json_header)In [9]: segments.append(header)In [10]: segmentsOut[10]: [b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9']

26

In [11]: payload_dict = { ....: 'user_id':'pythontw2016' ....: }

In [12]: json_payload =json.dumps(payload_dict).encode('utf-8')

In [13]: payload = urlsafe_b64encode(json_payload)

In [14]: segments.append(payload)

In [15]: segmentsOut[15]:[b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9', b'eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9']

27

In [16]: SECRET = b'secret'In [17]: signing_input = b'.'.join(segments)In [18]: sig = hmac.new (SECRET, signing_input, sha256)In [19]: signature = urlsafe_b64encode(sig.digest())In [20]: segments.append(signature)In [21]: segmentsOut[21]:[b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9', b'eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9', b'qhevGfl16LBHjRG2wb6xDitbGt3lDK-2iUYCsLseCJY=']

In [22]: token = b'.'.join(segments)

In [23]: tokenOut[23]: b'eyJ0eXAiOiAiSldUIiwgImFsZyI6ICJIUzI1NiJ9.eyJ1c2VyX2lkIjogInB5dGhvbnR3MjAxNiJ9.qhevGfl16LBHjRG2wb6xDitbGt3lDK-2iUYCsLseCJY='

Test this token in https://jwt.io/

We don’t need to reinvent the wheel

28

29https://jwt.io/#libraries-io

PyJWT

30

PyJWT

Django DRF JWT Authjson

hmac

base64

hashlibFlask-JWT

PyJWT

>>> import jwt

>>> jwt_token = jwt.encode({ 'payload': ‘pycontw 2106’}, 'secret', algorithm='HS256')'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXlsb2FkIjoicHljb250dyAyMDE2In0.TRRENrqd8lc3_AQeo3IRheVkZpMkcqXqYQi891pFL6w’

>>> jwt.decode(jwt_token, 'secret', algorithms=['HS256']){'payload': 'pycontw 2016'}

31

https://github.com/jpadilla/pyjwt

pip install PyJWT

see more in Registered Claim Names

Example Scenarios

32

Copyright © 2016 ThroughTek Co., Ltd. All rights reserved. Confidential. Do not distribute. 33

• Generic applications

• Customization service

• Kalay Kit

• FW integration

micro-service system

Kalay services

34

Users

Kalay AM Kalay DM

JWT

login

Kalay DC

mqtt/https

shared keys shared keys

shared keys

Kalay CloudKalay services

Kalay services

devices

actions (bind/view/control….)

with JWT

Messaging API for Mobile Apps and Websites

● http://api.diuit.com/

Authentication with JWT for security purpose1. User sends login request with credential2. Auth user on your server (account server)3. Request for Nonce on Diuit server4. Obtain nonce from Diuit server5. Use JWT to request session token6. Obtain session token from Diuit server7. Send session token back to messaging client8. Authenticate messaging client on Diuit server using "loginWithAuthToken"

JWT

Your own account server

user login

nonce

=>create JWT

{ "typ": "JWT", "alg": "RS256" "cty": "diuit-eit;v=1" "kid": ${EncryptionKeyId} }

header

{ "iss": ${DIUIT_APP_ID} "sub": ${UNIQUE_USER_ID} "iat": ${CURRENT_TIME_IN_ISO8601_FORMAT} "exp":${SESSION_EXPIRATION_TIME_IN_ISO8601_FORMAT} "nce": ${AUTHENTICATION_NONCE} }

payload

Django REST framework JWTJSON Web Token Authentication support for Django REST Framework

37

Django DRF JWT

38

https://github.com/GetBlimp/django-rest-framework-jwt

Steps:

● pip install djangorestframework-jwt

● add JSONWebTokenAuthentication in Django REST framework's

DEFAULT_AUTHENTICATION_CLASSES (settings.py)

● add URL routes (urls.py)

○ provide JWT token (obtain_jwt_token)○ refresh token (refresh_jwt_token)○ verify token (verify_jwt_token)

● additional settings

Requirements● Python (2.7, 3.3, 3.4)● Django (1.8, 1.9)● Django REST Framework (3.0, 3.1, 3.2, 3.3)

settings.py

39

REST_FRAMEWORK = { 'DEFAULT_PERMISSION_CLASSES': ( 'rest_framework.permissions.IsAuthenticated', ), 'DEFAULT_AUTHENTICATION_CLASSES': ( 'rest_framework.authentication.SessionAuthentication', 'rest_framework.authentication.BasicAuthentication', 'rest_framework_jwt.authentication.JSONWebTokenAuthentication', ),}

from rest_framework_jwt.views import obtain_jwt_token#...

urlpatterns = patterns( '', # ...

url(r'^api-token-auth/', obtain_jwt_token), url(r'^api-token-refresh/', refresh_jwt_token), url(r'^api-token-verify/', verify_jwt_token),)

urls.py

http://getblimp.github.io/django-rest-framework-jwt/

Flask-JWTAdd basic JWT features to your Flask application

40

https://pythonhosted.org/Flask-JWT/

Flask-JWT

from flask import Flaskfrom flask_jwt import JWT, jwt_required, current_identityfrom werkzeug.security import safe_str_cmp

41

https://pythonhosted.org/Flask-JWT/

pip install Flask-JWT

class User(object): def __init__(self, id, username, password): self.id = id self.username = username self.password = password

def __str__(self): return "User(id='%s')" % self.id

users = [ User(1, 'user1', 'abcxyz'), User(2, 'user2', 'abcxyz'),]

username_table = {u.username: u for u in users}userid_table = {u.id: u for u in users}

Minimum viable application configuration:

42

app = Flask(__name__)app.debug = Trueapp.config['SECRET_KEY'] = ' super-secret'

jwt = JWT(app, authenticate, identity )

def identity(payload): user_id = payload['identity'] return userid_table.get(user_id, None)

def authenticate(username, password): user = username_table.get(username, None) if user and safe_str_cmp(user.password.encode('utf-8'), password.encode('utf-8')): return user

@app.route('/protected')@jwt_required()def protected(): return '%s' % current_identityif __name__ == '__main__': app.run()

Configuration

JWT_AUTH_URL_RULE:The authentication endpoint URL. Defaults to /auth

https://pythonhosted.org/Flask-JWT/

jwt working

Recap● JWT (‘jot’) : header, payload, signature

● Stateless token-based authentication

● Use libraries

● PyJWT, Django DRF JWT , Flask-JWT

● Provide, refresh, verify JWT

43

About JWTRef:

● JWT ● https://jwt.io/ ● https://auth0.com/learn/json-web-tokens/ ● https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html

● PyJWT (https://pyjwt.readthedocs.org/)● django-rest-framework-jwt (http://getblimp.github.io/django-rest-framework-jwt/)● Flask-JWT (https://pythonhosted.org/Flask-JWT/)● DjangoCon US 2014 talk on JWT https://speakerdeck.com/jpadilla/djangocon-json-web-tokens

● JWT in Auth0 https://auth0.com/blog/2014/12/02/using-json-web-tokens-as-api-keys/

About Authentication● https://www.owasp.org/index.php/Authentication_Cheat_Sheet

and others:● Kalay platform (http://www.throughtek.com.tw/kalay_overview.html)● diuit messaging api (http://api.diuit.com/ , https://github.com/diuitAPI)● icons: (https://thenounproject.com/)

44

Thank you!

Questions?

45