Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tackling Authentication with Phoenix

João Moura
March 03, 2017
Programming
2
460

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

João Moura

March 03, 2017
Tweet

More Decks by João Moura

See All by João Moura
State Machines in Elixir
joaomdmoura
0
290
Spreading my love for Elixir and State Machines
joaomdmoura
0
51
Unboxing Data Science (Short Verison)
joaomdmoura
0
78
Elixir a Language for the Future
joaomdmoura
0
100
Desenvolvendo Produtos além das Metodologias Ágeis
joaomdmoura
1
54
Graph Theory Behind Immutable JS
joaomdmoura
0
450
E agora mobile?
joaomdmoura
0
60
(short version) Elixir By A Rubyist
joaomdmoura
0
190
Elixir by a Rubyist
joaomdmoura
5
380

Other Decks in Programming

See All in Programming
Contemporary Test Cases
maaretp
0
140
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
NSOutlineView何もわからん:( 前編 / I Don't Understand About NSOutlineView :( Pt. 1
usagimaru
0
340
CSC509 Lecture 12
javiergs
PRO
0
160
Jakarta EE meets AI
ivargrimstad
0
690
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
カンファレンスの「アレ」Webでなんとかしませんか? / Conference “thing” Why don't you do something about it on the Web?
dero1to
1
110
Amazon Qを使ってIaCを触ろう!
maruto
0
420
Tauriでネイティブアプリを作りたい
tsucchinoko
0
370
みんなでプロポーザルを書いてみた
yuriko1211
0
280
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
광고 소재 심사 과정에 AI를 도입하여 광고 서비스 생산성 향상시키기
kakao
PRO
0
170

Featured

See All Featured
The Language of Interfaces
destraynor
154
24k
Ruby is Unlike a Banana
tanoku
97
11k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
840
A designer walks into a library…
pauljervisheath
204
24k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
GitHub's CSS Performance
jonrohan
1030
460k

Transcript

  1. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  2. https://www.entrepreneur.com/article/242208

  3. 90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208

  4. 90% FREAKING

  5. 65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  6. None

  7. 初⼼心

  8. BEGGINERS mind

  9. None
  10. None

  11. BEGGINERS mind

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None

  20. https://www.entrepreneur.com/article/242208

  21. 200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208

  22. João M. D. Moura Senior Engineer at Packlane @joaomdmoura

  23. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  24. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY

  25. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

  26. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO

  27. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO MICRO SERVICE

  28. AUTHENTICATION AUTHORIZATION X

  29. AUTHENTICATION

  30. SOMETHING YOU KNOW

  31. SOMETHING YOU KNOW

  32. COHERENCE COHERENCE COHERENCE

  33. mix coherence.install --full

  34. ÜBERAUTH ÜBERAUTH ÜBERAUTH

  35. REQUEST

  36. CALLBACK

  37. CALLBACK STRATEGIES }

  38. }

  39. }

  40. a.k.a. magic login links SOMETHING YOU HAVE

  41. a.k.a. magic login links SOMETHING YOU HAVE

  42. POT POT POT

  43. Secret + Time = 123456

  44. secret = "S3CR3T" token = :pot.totp(secret)

  45. secret = "S3CR3T" token = "123456" is_valid = :pot.valid_totp(token, secret)

  46. MULTI-FACTOR authentication

  47. MULTI-FACTOR authentication …or getting away with a shitty password

  48. MULTI-FACTOR authentication …or getting away with a shitty password

  49. AUTHORIZATION

  50. None
  51. None
  52. None

  53. knock knock client server

  54. None

  55. who's there? client server

  56. None

  57. Me. client server

  58. None

  59. ktkx. client server

  60. SESSION COOKIES +

  61. HTTP STATELESS

  62. None

  63. client

  64. client server

  65. client server knock knock. BTW it’s me. ktkx.

  66. JSON Web Tokens JWT

  67. HEADER.PAYLOAD.SIGNATURE

  68. HEADER PAYLOAD SIGNATURE } } }

  69. HEADER PAYLOAD SIGNATURE } } }

  70. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  71. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}

  72. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

  73. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  74. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  75. HTTP HEADERS

  76. Authorization: Bearer <token>

  77. client server

  78. POST user/login client server

  79. POST user/login creates JWT Token client server

  80. HEADER PAYLOAD SIGNATURE } } }

  81. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  82. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}

  83. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  84. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  85. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  86. POST user/login creates JWT Token client server

  87. POST user/login creates JWT Token return JWT to browser client

    server

  88. POST user/login creates JWT Token return JWT to browser send

    JWT as Header client server

  89. POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server

  90. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  91. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  92. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  93. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET

  94. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  95. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  96. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature

  97. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client

  98. GUARD GUARD GUARD

  99. Guardian.Plug.sign_in(conn, user)

  100. def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end

  101. pipeline :browser_auth do plug Guardian.Plug.VerifySession plug Guardian.Plug.LoadResource end

  102. scope "/", MyApp do pipe_through [:browser, :browser_auth] get ”/home”, HomeController,

    :homepage end

  103. WRAP UP

  104. 1.We have a password problem

  105. 2.We should start embracing multi-factor authentication

  106. 3.Stateless auth is a thing. JWT is worth checking.

  107. 4. There are great auth libs around elixir!

  108. None
  109. None

  110. https://github.com/joaomdmoura/keeper

  111. None
  112. None
  113. None
  114. None

  115. joaomdmoura.com Learn Elixir with a Rubyist

  116. João M. D. Moura Senior Engineer at Packlane joaomdmoura.com