Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tackling Authentication with Phoenix

João Moura
March 03, 2017
Programming
2
460

Tackling Authentication with Phoenix

Authentication is a core feature in modern apps. It’s evolving across the years, playing a huge rule on a product success. In this talk we are gonna check how to tackle this challenge with elixir, going over it’s libraries checking how to take advantage of it’s features on the best way as possible

João Moura

March 03, 2017
Tweet

More Decks by João Moura

See All by João Moura
State Machines in Elixir
joaomdmoura
0
290
Spreading my love for Elixir and State Machines
joaomdmoura
0
51
Unboxing Data Science (Short Verison)
joaomdmoura
0
78
Elixir a Language for the Future
joaomdmoura
0
100
Desenvolvendo Produtos além das Metodologias Ágeis
joaomdmoura
1
54
Graph Theory Behind Immutable JS
joaomdmoura
0
450
E agora mobile?
joaomdmoura
0
60
(short version) Elixir By A Rubyist
joaomdmoura
0
190
Elixir by a Rubyist
joaomdmoura
5
380

Other Decks in Programming

See All in Programming
Identifying User Idenity
moro
6
7.9k
PagerDuty を軸にした On-Call 構築と運用課題の解決 / PagerDuty Japan Community Meetup 4
horimislime
1
110
飲食業界向けマルチプロダクトを実現させる開発体制とリアルな現状
hiroya0601
1
400
Importmapを使ったJavaScriptの 読み込みとブラウザアドオンの影響
swamp09
4
1.3k
Snowflake x dbtで作るセキュアでアジャイルなデータ基盤
tsoshiro
2
430
詳細解説! ArrayListの仕組みと実装
yujisoftware
0
480
macOS でできる リアルタイム動画像処理
biacco42
7
2k
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
230
Googleのテストサイズを活用したテスト環境の構築
toms74209200
0
270
Universal Linksの実装方法と陥りがちな罠
kaitokudou
1
220
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
250
From Subtype Polymorphism To Typeclass-based Ad hoc Polymorphism - An Example
philipschwarz
PRO
0
170

Featured

See All Featured
The Pragmatic Product Professional
lauravandoore
31
6.3k
Learning to Love Humans: Emotional Interface Design
aarron
272
40k
Visualization
eitanlees
144
15k
BBQ
matthewcrist
85
9.3k
A designer walks into a library…
pauljervisheath
202
24k
StorybookのUI Testing Handbookを読んだ
zakiyama
26
5.2k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.2k
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
92
16k
We Have a Design System, Now What?
morganepeng
50
7.2k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
680
Practical Orchestrator
shlominoach
186
10k

Transcript

  1. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  2. https://www.entrepreneur.com/article/242208

  3. 90% of passwords are CRACKABLE within 6 hours 90% 90%

    https://www.entrepreneur.com/article/242208

  4. 90% FREAKING

  5. 65% of people use the SAME PASS everywhere 65% 65%

    https://www.entrepreneur.com/article/242208
  6. None

  7. 初⼼心

  8. BEGGINERS mind

  9. None
  10. None

  11. BEGGINERS mind

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None

  20. https://www.entrepreneur.com/article/242208

  21. 200.000,00 for a small business to fix issues post-breach 200.000,00

    200.000,00 https://www.entrepreneur.com/article/242208

  22. João M. D. Moura Senior Engineer at Packlane @joaomdmoura

  23. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix

  24. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY

  25. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

  26. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO

  27. TACKLING AUTHENTICATION TACKLING AUTHENTICATION TACKLING AUTHENTICATION with Phoenix USABILITY DELEGATE

    SSO MICRO SERVICE

  28. AUTHENTICATION AUTHORIZATION X

  29. AUTHENTICATION

  30. SOMETHING YOU KNOW

  31. SOMETHING YOU KNOW

  32. COHERENCE COHERENCE COHERENCE

  33. mix coherence.install --full

  34. ÜBERAUTH ÜBERAUTH ÜBERAUTH

  35. REQUEST

  36. CALLBACK

  37. CALLBACK STRATEGIES }

  38. }

  39. }

  40. a.k.a. magic login links SOMETHING YOU HAVE

  41. a.k.a. magic login links SOMETHING YOU HAVE

  42. POT POT POT

  43. Secret + Time = 123456

  44. secret = "S3CR3T" token = :pot.totp(secret)

  45. secret = "S3CR3T" token = "123456" is_valid = :pot.valid_totp(token, secret)

  46. MULTI-FACTOR authentication

  47. MULTI-FACTOR authentication …or getting away with a shitty password

  48. MULTI-FACTOR authentication …or getting away with a shitty password

  49. AUTHORIZATION

  50. None
  51. None
  52. None

  53. knock knock client server

  54. None

  55. who's there? client server

  56. None

  57. Me. client server

  58. None

  59. ktkx. client server

  60. SESSION COOKIES +

  61. HTTP STATELESS

  62. None

  63. client

  64. client server

  65. client server knock knock. BTW it’s me. ktkx.

  66. JSON Web Tokens JWT

  67. HEADER.PAYLOAD.SIGNATURE

  68. HEADER PAYLOAD SIGNATURE } } }

  69. HEADER PAYLOAD SIGNATURE } } }

  70. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  71. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true}

  72. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1234567890", "name": "John Doe", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

  73. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  74. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  75. HTTP HEADERS

  76. Authorization: Bearer <token>

  77. client server

  78. POST user/login client server

  79. POST user/login creates JWT Token client server

  80. HEADER PAYLOAD SIGNATURE } } }

  81. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

  82. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true}

  83. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  84. HEADER PAYLOAD SIGNATURE } } } {"alg": "HS256", "typ": "JWT"}

    {"sub": "1", "name": “João Moura", "admin": true} HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), “Th3B1gg3stS3cr3tEv3r”)

  85. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  86. POST user/login creates JWT Token client server

  87. POST user/login creates JWT Token return JWT to browser client

    server

  88. POST user/login creates JWT Token return JWT to browser send

    JWT as Header client server

  89. POST user/login creates JWT Token return JWT to browser send

    JWT as Header check JWT signature client server

  90. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  91. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  92. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9

  93. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET

  94. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  95. eyJhbGciOiJIUzI1NiIsInR5cCI6 IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwi bmFtZSI6IkpvaG4gRG9lIiwiYWRt aW4iOnRydWV9 +SECRET TJVA95OrM7E2cBab30RMHrHDcEfx joYZgeFONFh7HgQ

  96. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature

  97. client server POST user/login creates JWT Token return JWT to

    browser send JWT as Header check JWT signature send response to client

  98. GUARD GUARD GUARD

  99. Guardian.Plug.sign_in(conn, user)

  100. def login(conn, params) do case User.confirm_password(params) do {:ok, user} ->

    conn |> Guardian.Plug.sign_in(user) |> redirect(to: "/") … end end

  101. pipeline :browser_auth do plug Guardian.Plug.VerifySession plug Guardian.Plug.LoadResource end

  102. scope "/", MyApp do pipe_through [:browser, :browser_auth] get ”/home”, HomeController,

    :homepage end

  103. WRAP UP

  104. 1.We have a password problem

  105. 2.We should start embracing multi-factor authentication

  106. 3.Stateless auth is a thing. JWT is worth checking.

  107. 4. There are great auth libs around elixir!

  108. None
  109. None

  110. https://github.com/joaomdmoura/keeper

  111. None
  112. None
  113. None
  114. None

  115. joaomdmoura.com Learn Elixir with a Rubyist

  116. João M. D. Moura Senior Engineer at Packlane joaomdmoura.com