Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tackling Authentication with Phoenix

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

João Moura

March 03, 2017
Tweet

More Decks by João Moura

Other Decks in Programming

Transcript

  1. 90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208
  2. 65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  3. 200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208
  4. }

  5. }

  6. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}
  7. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
  8. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}
  9. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  10. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)
  11. POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server
  12. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature
  13. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client
  14. def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end