Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure and Practical Authentication in API Plat...

Robin Chalas
September 13, 2021

Secure and Practical Authentication in API Platform

The Security part of your API is not something that belongs to API Platform itself. Instead, the framework lets you rely on the Symfony Security integration, including Symfony's built-in authenticators and community bundles that build on top of it.

Stateful VS stateless, Cookies VS Headers, Standard protocols VS home-made authentication flows... There's a lot of alternatives, which can make it very hard to find the right one.

In this talk we will review all these possibilities to see how you should secure your API depending on your application and infrastructure. Last but not least, we will discover a novelty that will help solving this issue.

Robin Chalas

September 13, 2021
Tweet

More Decks by Robin Chalas

Other Decks in Programming

Transcript

  1. Y Software Architect, Developer & Maintainer Symfony Core Team /

    LexikJWTAuthenticationBundle Project Lead / Principal Engineer @Les-Tilleus.coop twitter.com/chalas_r github.com/chalasr Robin Chalas
  2. PHP Sessions Pros • Convenient • Proven (since 20+ years)

    Cons • Scaling is challenging (needs extra storage or sticky sessions) • Not RESTful
  3. PHP Sessions Symfony Docs - Sessions https://symfony.com/doc/current/session.html Symfony 5: The

    Fast Track - Redis Sessions https://symfony.com/doc/current/the-fast-track/en/31-redis.html Read More
  4. JWT Pros • Standard Token format (RFC 7519) • Server

    does not need to keep track of sessions • Can be used in contexts where cookies are disabled • Scales easily (any server possessing the public key can verify tokens) • Fun to use Cons • Complex (key management, refresh tokens...)
  5. JWT: Symmetric or Asymmetric Only use asymmetric signatures (RSA/ECDSA) when

    multiple applications need to verify the tokens. Otherwise, use symmetric signatures (shared secret - HMAC).
  6. JWT SymfonyCasts - Symfony RESTful API - Authentication with JWT

    https://symfonycasts.com/screencast/symfony-rest4/lexikjwt-authentication-bundle LexikJWTAuthenticationBundle documentation https://github.com/lexik/LexikJWTAuthenticationBundle Read More
  7. OAuth2 / OIDC If your API needs to authenticate users

    from third party clients, you need OAuth2.
  8. OAuth2 / OIDC In this case, the libs you are

    looking for are league/oauth2-server and league/oauth2-client.
  9. OAuth2 / OIDC: Symfony Integration For the server part, checkout

    league/oauth2-server-bundle (soon stable).
  10. OAuth2 / OIDC: Symfony Integration For the client part, checkout

    knpuniversity/oauth2-client-bundle until something better comes out 😉
  11. Conclusion Both Sessions and JWTs are valid solutions for API

    authentication. Just use the one that you feel comfortable with. And, as soon as you have third party clients, use OAuth2 with OIDC.