Secure and Practical Authentication in API Platform

Transcript

1. Secure and Practical Authentication in API Platform

2. Y Software Architect, Developer & Maintainer Symfony Core Team /

   LexikJWTAuthenticationBundle Project Lead / Principal Engineer @Les-Tilleus.coop twitter.com/chalas_r github.com/chalasr Robin Chalas

3. Your text How does API Platform handle authentication?

4. How API Platform handles authentication? Your text Well, it does

   not.

5. How API Platform handles authentication? Your text It is Symfony

   job.

6. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 /

   OIDC

7. PHP Sessions Pros • Convenient • Proven (since 20+ years)

   Cons • Scaling is challenging (needs extra storage or sticky sessions) • Not RESTful

8. PHP Sessions: Native File

9. PHP Sessions: Redis

10. PHP Sessions: Json Login Authenticator

11. PHP Sessions Symfony Docs - Sessions https://symfony.com/doc/current/session.html Symfony 5: The

    Fast Track - Redis Sessions https://symfony.com/doc/current/the-fast-track/en/31-redis.html Read More

12. PHP Sessions REST is not a religion. Using sessions for

    your API is fine.

13. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 /

    OIDC

14. JWT Pros • Standard Token format (RFC 7519) • Server

    does not need to keep track of sessions • Can be used in contexts where cookies are disabled • Scales easily (any server possessing the public key can verify tokens) • Fun to use Cons • Complex (key management, refresh tokens...)

15. JWT composer require lexik/jwt-authentication-bundle

16. JWT: Symmetric or Asymmetric Only use asymmetric signatures (RSA/ECDSA) when

    multiple applications need to verify the tokens. Otherwise, use symmetric signatures (shared secret - HMAC).

17. JWT: Symmetric Config

18. JWT: Asymmetric Config

19. JWT: Asymmetric key generation

20. JWT: Firewall Config

21. JWT SymfonyCasts - Symfony RESTful API - Authentication with JWT

    https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle LexikJWTAuthenticationBundle documentation https://github.com/lexik/LexikJWTAuthenticationBundle Read More

22. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 /

    OIDC

23. OAuth2 / OIDC If your API needs to authenticate users

    from third party clients, you need OAuth2.

24. OAuth2 / OIDC In this case, the libs you are

    looking for are league/oauth2-server and league/oauth2-client.

25. OAuth2 / OIDC: Symfony Integration For the server part, checkout

    league/oauth2-server-bundle (soon stable).

26. OAuth2 / OIDC: Symfony Integration For the client part, checkout

    knpuniversity/oauth2-client-bundle until something better comes out 😉

27. The Options ✔ PHP Sessions ✔ JWT ✔ OAuth2 /

    OIDC

28. Conclusion Both Sessions and JWTs are valid solutions for API

    authentication. Just use the one that you feel comfortable with. And, as soon as you have third party clients, use OAuth2 with OIDC.

29. Thank you! Robin Chalas Follow me on Twitter @chalas_r Sponsor

    me on GitHub @chalasr ANY QUESTIONS?