Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Painless authentication with access tokens

Painless authentication with access tokens

Via some simple but real scenarios, we will discover the power of the new AccessToken Authenticator shipped in Symfony 6.2. For example, we are developing a SaaS product, which exposes a private API. Our users can register many applications into their accounts, for each one we will generate an API Token that users must inject in their requests. Now, with a pinch of YAML and a dash of PHP, we will be able to authenticate users from their API Token. In this talk, I will show you how it also works with JWT and some other exotic tokens!

Mathieu Santostefano

November 28, 2022
Tweet

More Decks by Mathieu Santostefano

Other Decks in Technology

Transcript

  1. Painless Authentication with Access Tokens Mathieu Santostefano 🧑‍💻 Web developer

    at Symfony Core Team Member Twitter @welcomattic GitHub @welcomattic Photo by Kelly Sikkema on Unsplash
  2. 🍽 On the menu 1. Access token, what is it?

    3 Photo by Nathan Dumlao on Unsplash
  3. 🍽 On the menu 1. Access token, what is it?

    2. Implementation with Symfony 6.1 3 Photo by Nathan Dumlao on Unsplash
  4. 🍽 On the menu 1. Access token, what is it?

    2. Implementation with Symfony 6.1 3. Time travel 3 Photo by Nathan Dumlao on Unsplash
  5. 🍽 On the menu 1. Access token, what is it?

    2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 3 Photo by Nathan Dumlao on Unsplash
  6. 🍽 On the menu 1. Access token, what is it?

    2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 5. Code examples 3 Photo by Nathan Dumlao on Unsplash
  7. 🍽 On the menu 1. Access token, what is it?

    2. Implementation with Symfony 6.1 3. Time travel 4. Implementation with Symfony 6.2 5. Code examples 6. In the future? 3 Photo by Nathan Dumlao on Unsplash
  8. ✨ The New Security System Removed everything but Guards Moved

    to an event-based system Authenticator based: instantiate a Passport with Badges Your job is to use Authenticator or implement your own 6
  9. ✨ The New Security System Event-based system You can interact

    on different levels CheckPassportEvent AuthenticationTokenCreatedEvent AuthenticationSuccessEvent LoginSuccessEvent LoginFailureEvent LogoutEvent TokenDeauthenticatedEvent SwitchUserEvent 7
  10. ✨ The New Security System As before, you can still

    handle what happens in case of authentication success or failure 🤩 Like many things since the last years in Symfony, it improves the DX 8
  11. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token 9
  12. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 9
  13. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 🌮 could be an Access Token 9
  14. 🪙 What is an Access Token? i-am-an-4cc3ss-t0k3n could be an

    Access Token mF_9.B5f-4.1JqM could be an Access Token eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4... could be an Access Token 🌮 could be an Access Token 🔡 An Access Token is represented by a string. 9
  15. 📑 Use cases Authentication with Access Token is useful in

    some contexts, like Stateless user login API Gateway in front of private APIs Application that access to personal data provided by a third party Micro-services between them Client applications of a SaaS API … 10
  16. 🤨 Ok, so? Must be sent in a HTTP request

    to fetch a protected resource The application expects to find a token, 👉 validate 👈 it and decide to allow access or not 11
  17. 🤨 Ok, so? Must be sent in a HTTP request

    to fetch a protected resource The application expects to find a token, 👉 validate 👈 it and decide to allow access or not 11
  18. 🛂 Token issuer Let’s assume our tokens come from an

    external authentication server, the user identity has been verified by this server 12
  19. ✅ Validate the token? The validation process is up to

    you Check if the string is present in a database Compute a hash and compare it to the expected one Decode the token (base64, …) and make assertions on decoded values Ensure the expiration date is not passed if needed Check if the token has been revoked or not Call an OpenID Connect server to validate the token … 13
  20. 🎬 Marvel Scenarios Manager, a web app for writers and

    reviewers Each user (Writers and Reviewers) has an API key Admin for Writers Form login authentication Writers can create Scenarios Web app for Reviewers Call the private API using API Key obtained after Reviewer login Admins can revoke API key at any time 15
  21. 16

  22. 17

  23. 👉 With Symfony <= 6.1 Create a custom Authenticator 1.

    Extract token 2. Decode token if needed (JWT, SAML, …) 3. Check token validity 4. Retrieve user identifier from the token 5. Then load User object 6. Handle authentication failure cases 18
  24. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token 19
  25. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token WWW-Authenticate response header in case of failure 19
  26. 👂 Have you heard about RFC 6750? Token transportation In

    request header? ➡ Authorization header In query string? ➡ parameter access_token In request body? ➡ parameter access_token WWW-Authenticate response header in case of failure HTTPS protocol mandatory 19
  27. 20

  28. 🧑‍💻 Some code 21 1 /** Simplified version */ 2

    private function extractToken(Request $req): ?string 3 { 4 return match (true) { 5 // Header 6 $req->headers->has('Authorization') => str_replace('Bearer ', '', $req->headers->get('Authorization')), 7 8 // Query string 9 $req->query->has('access_token') => $req->query->get('access_token'), 10 11 // Request body 12 $req->request->has('access_token') => $req->request->get('access_token'), 13 14 default => null, 15 }; 16 }
  29. 🧑‍💻 Some code 22 1 public function authenticate(Request $req): Passport

    2 { 3 if (null === $apiKey = $this->extractToken($req)) { 4 throw new AuthenticationException('No API Key provided'); 5 } 6 7 // Here, it could be some logic to validate the token 8 9 return new SelfValidatingPassport( 10 new UserBadge($apiKey, 11 function (string $apiKey) { 12 return $this->userRepository->findOneByApiKey($apiKey); 13 } 14 ) 15 ); 16 }
  30. 🥱 Boring code We have to repeat this code in

    all our applications, boring Our responsibility to respect RFC6750, boring No body likes boring code Boring code is code we rewrite in all projects, no business value Poor Developer eXperience, Symfony tends to improve DX This is definitely improvable 23
  31. 24

  32. ⌚ Discussions started long time ago June 2019, first PR

    about OAuth2 Component. ❌ Aborted 26
  33. ⌚ Discussions started long time ago April 2020, continuation of

    Wouter’s work on new Security system 28
  34. ⌚ Discussions started long time ago March 2022, Vincent Chalamon

    opens an issue about "Bearer Authenticator" 29
  35. ⌚ Discussions started long time ago Finally, on May 21st,

    2022, Vincent Chalamon & Florent Morselli each open a pull request to implement the Authenticator 30
  36. AccessTokenAuthenticator Takes care of token extraction Header Query string Request

    body And/or your Custom extractors Calls your Token Handler to check the token (revocation, expiration, signature, …) Custom success / failure handlers if needed ✨ All this via configuration! 34
  37. What kind of tokens could be used? JWT SAML2 Biscuit

    Macaroons Homemade tokens (with chocolate chips and nuts 😋 ) … Any kind of token, as it’s up to you to handle them 35
  38. ⚙ Internally, in Symfony Extraction with ChainTokenExtractor (configurable order) Default

    and custom extractors can be used at the same time Handle the token with your TokenHandlerInterface implementation AccessTokenAuthenticator will create a PostAuthenticationToken object set WWW-Authenticate Response header content in case of failure use the configured User Provider in security.yaml 36
  39. 6.1 security.yaml 38 1 security: 2 providers: 3 user_provider: 4

    entity: 5 class: App\Entity\User 6 property: apiKey 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 custom_authenticator: App\Security\ApiKeyAuthenticator
  40. 39 1 class ApiKeyAuthenticator extends AbstractAuthenticator 8 public function supports(Request

    $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 12 13 public function authenticate(Request $req): Passport 14 { 15 if (null === $apiKey = $this->extractToken($req)) { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 6.1 ApiKeyAuthenticator
  41. 39 13 public function authenticate(Request $req): Passport 14 { 15

    if (null === $apiKey = $this->extractToken($req)) { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 1 class ApiKeyAuthenticator extends AbstractAuthenticator 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function supports(Request $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 12 6.1 ApiKeyAuthenticator
  42. 39 15 if (null === $apiKey = $this->extractToken($req)) { 1

    class ApiKeyAuthenticator extends AbstractAuthenticator 2 { 3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function supports(Request $req): ?bool 9 { 10 return $req->headers->has('Authorization') || $req->query->has('access_token') || $req->request->has('access_token'); 11 } 12 13 public function authenticate(Request $req): Passport 14 { 16 throw new AuthenticationException('No API Key provided'); 17 } 18 19 // Here, it could be some logic to validate the token 20 21 return new SelfValidatingPassport( 22 new UserBadge($apiKey, 23 function (string $apiKey) { 24 return $this->userRepository->findOneByApiKey($apiKey); 25 } 26 ) 27 ); 28 } 29 } 6.1 ApiKeyAuthenticator
  43. 6.1 ApiKeyAuthenticator 40 1 /** Simplified version */ 2 private

    function extractToken(Request $req): ?string 3 { 4 return match (true) { 5 // Header 6 $req->headers->has('Authorization') => str_replace('Bearer ', '', $req->headers->get('Authorization')), 7 8 // Query string 9 $req->query->has('access_token') => $req->query->get('access_token'), 10 11 // Request body 12 $req->request->has('access_token') => $req->request->get('access_token'), 13 14 default => null, 15 }; 16 }
  44. 6.2 security.yaml 41 1 security: 2 providers: 3 user_provider: 4

    entity: 5 class: App\Entity\User 6 property: apiKey 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 access_token: 13 token_extractors: 14 - header 15 - query_string 16 - request_body 17 token_handler: App\Security\AccessTokenHandler
  45. 6.2 AccessTokenHandler 42 1 class AccessTokenHandler implements AccessTokenHandlerInterface 2 {

    3 public function __construct( 4 private readonly UserRepository $userRepository, 5 private readonly string $env, 6 ) {} 7 8 public function getUserIdentifierFrom(string $token): string 9 { 10 $user = $this->userRepository->findOneByApiKey($token); 11 12 if ($user === null) { 13 throw new BadCredentialsException('Invalid credentials.'); 14 } 15 16 return $user->getUserIdentifier(); 17 } 18 }
  46. 44

  47. 6.2 With a JWT issued by an OIDC server 45

    1 class JwtHandler implements AccessTokenHandlerInterface 2 { 3 public function __construct( 4 private readonly HttpClientInterface $oidcHttpClient, 5 ) {} 6 7 public function getUserIdentifierFrom(string $accessToken): string 8 { 9 try { 10 $userInfo = $this->oidcHttpClient->request('GET', 'protocol/openid-connect/userinfo', [ 11 'auth_bearer' => $accessToken, 12 ])->toArray(); 13 } catch (HttpExceptionInterface $e) { 14 throw new BadCredentialsException($e->getMessage()); 15 } 16 17 return $userInfo['email']; 18 } 19 }
  48. 6.2 With a JWT issued by your Symfony app with

    lcobucci/jwt (or web-token/jwt-checker) 46
  49. 🔐 6.2 security.yaml 47 1 security: 2 providers: 3 user_provider:

    4 entity: 5 class: App\Entity\User 6 property: email 7 firewalls: 8 api: 9 pattern: ^/api 10 lazy: true 11 provider: user_provider 12 access_token: 13 token_extractors: header 14 token_handler: App\Security\JwtHandler
  50. 48 1 class JwtHandler implements AccessTokenHandlerInterface 2 { 3 public

    function __construct( 4 private readonly Parser $jwtParser = new Parser(new JoseEncoder()), 5 private readonly Validator $jwtValidator = new Validator(), 6 ) {} 7 8 public function getUserIdentifierFrom(string $accessToken): string 9 { 10 $jwt = $this->jwtParser->parse($accessToken); 11 $timezone = new \DateTimeZone('Europe/Paris'); 12 13 try { 14 $this->jwtValidator->assert($jwt, new ValidAt(new SystemClock($timezone))); 15 $this->jwtValidator->assert($jwt, new SignedWith( 16 new Sha256(), 17 InMemory::plainText('PRIVATE-KEY') 18 )); 19 } catch (RequiredConstraintsViolated $e) { 20 throw new BadCredentialsException($e->getMessage()); 21 } 22 23 return $jwt->claims()->get(RegisteredClaims::SUBJECT); 24 } 25 } 6.2 JwtHandler
  51. 💫 In the future? Add a native JwtHandler to Symfony?

    Add a native SamlHandler to Symfony? Add a native BiscuitHandler to Symfony? 👉 It’s up to the community! 50
  52. 51

  53. 52

  54. Less responsibility, less code Configure the way the extraction should

    be done Focus on the token processing Decoding Checking signature, expiration, revocation Retrieve user identifier 🦸 Leverage all Symfony power to fine tune configuration to your needs 53
  55. Thank you ☕ 🍰 Any questions? Slides and demo apps

    👉 welcomattic.github.io/painless-authentication-with-access-token Sources JWT RFC Bearer Token Usage RFC In-depth article about token authentication 55