PHP Experience 2016 - [Palestra] Json Web Token (JWT)

•

2 likes•2,149 views

Ivan Rosolen, Head de Inovação na Arizona, fez a palestra "Json Web Token (JWT)", no PHP Experience 2016. O iMasters PHP Experience 2016 aconteceu nos dias 21 e 22 de Março de 2015, no Hotel Tivoli em São Paulo-SP http://phpexperience2016.imasters.com.br/

Education

Ivan Rosolen
Graduado em Sistemas de Informação
Pós-graduado em Gerência de Projetos
Desenvolvedor a 15+ anos
Autor de vários PHPT (testes para o PHP)
Entusiasta de novas tecnologias
Head of Innovation @ Arizona
CTO @ Mokation

- Form Request Post/Get
- OAuth
- Key/Hash
- Credenciais em plain text
- Session Cookies

- Data is stored in plain text on the server
- Filesystem read/write requests
- Distributed/clustered applications
- Redis/Sticky sessions

- Stateless authentication (simplifies horizontal scaling)
- Prevent (mitigate) Cross-Site Request Forgery (CSRF)
attacks.
- Security (https)
- Authorization: Bearer

- Authentication vs. Authorization
- 401 unauthorized / 403 forbidden
- JWT != ACL

- JWT
- JWS
- JWA
- JWK
- JWE
JSON Object Signing and Encryption

- JSON Web Tokens work across different programming languages
- JWTs are self-contained
- JWTs can be passed around easily and secure
- Better control like “one time token” to forgot password, confirm
user, request rates, access, etc.
- One token to rule them all (Stateless)

Claims
- iss: The issuer of the token
- sub: The subject of the token
- aud: The audience of the token
- exp: This will probably be the registered claim most often used. This will define the expiration
in NumericDate value. The expiration MUST be after the current date/time.
- nbf: Defines the time before which the JWT MUST NOT be accepted for processing
- iat: The time the JWT was issued. Can be used to determine the age of the JWT
- jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is
helpful for a one time use token.
http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond

Payload / Claims
{
"iss": "ivanrosolen.com",
"exp": 1300819380,
"name": "Ivan Rosolen",
"admin": true
}

JWT
eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0=
.
eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM
DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI
6IHRydWV9
.

JWS
- header
- claims
payload
base64(header) . base64(claims)

JWA
- secret (hmac sha256, rsa256 ....)
- encrypt payload with key ‘Xuplau’

Signature
var encodedString = base64UrlEncode(header) + "."
+ base64UrlEncode(payload);
HMACSHA256(encodedString, 'Xuplau');

Screencast
Utilizando PHP será explicado como gerar de forma manual (sem uso de
qualquer biblioteca) um JSON Web Token, que pode ser utilizado para
compartilhar informações entre aplicações e autorizar o portador do
token a acessar dados protegidos.
https://www.youtube.com/watch?v=k3KfK0ZS_FY

Github
https://github.com/ivanrosolen/crud-demo
JWT
https://github.com/dwyl/learn-json-web-tokens
http://jwt.io
https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html
http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication
Talks
http://www.slideshare.net/erickt86/secureapi
http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond
Luís Otávio Cobucci Oblonczyk
https://github.com/lcobucci/jwt
https://github.com/Ocramius/PSR7Session

OBRIGADO!
Visite phpsp.org.br
https://joind.in/talk/05eb0

What's hot

Json web token

Mayank Patel

Json web token api authorization

Giulio De Donato

In this talk originally presented at the San Diego Javascript meetup on December 3rd 2014, I explain how JSON Web Tokens can be used as a replacement for session/cookie-based user authentication in modern web applications. Since web applications are increasingly leveraging client-side MVC frameworks such as Ember.JS, Angular and Backbone, traditional authentication schemes that leverage cookies are less desirable. I explain the key challenges with traditional authentication schemes and how JWT can be used as a very clean alternative.

What are JSON Web Tokens and Why Should I Care?

Derek Edwards

iMasters Intercon 2016 - Identity within Microservices

Erick Belluci Tedeschi

Securing Single Page Applications with Token Based Authentication

Stefan Achtsnit

Token Based Authentication Systems

Hüseyin BABAL

High profile security breaches have become embarrassingly common, but ultimately avoidable. Now more than ever, database security is a critical component of any production application. In this talk we'll learn to secure your deployment in accordance with best practices and compliance regulations. We'll explore the MongoDB Enterprise features which ensure HIPAA and PCI compliance, and protect you against attack, data exposure and a damaged reputation.

Architecting Secure and Compliant Applications with MongoDB

MongoDB

Microservices have become the hottest topic in software architecture over the past year, and much can be said about their benefits. But there are many challenges related to their security implementation and security context propagation over their components. This session addresses how to perform authentication and authorization inside a microservices architecture, covering technologies such as OAuth2, OpenID Connect, and JSON Web Token and use of Spring Cloud Security to integrate with a Spring and/or Java EE–based application platform.

Protecting Java Microservices: Best Practices and Strategies

Rodrigo Cândido da Silva

OAuth is a widespread web-based standard. It’s purpose is to provide safe inter-application access to web resources without having to reveal passwords or other sensible credentials across the wire or to third party applications. After lots of tough discussions for two and a half years version 2.0 of this standard has been released – finally. This session gives you an introduction to OAuth 2.0. You will understand its concepts as well as its limitations and pitfalls. You will also learn how it feels to write your own OAuth 2.0 based application based on real-life code examples.

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

Codemotion

Javascript Object Signing & Encryption

Aaron Zauner

Applying Security Controls on REST APIs

Erick Belluci Tedeschi

Ignite Talk: I AM a robot, how do I log in?

VMware Tanzu

Top 10 Web Hacks Every year the number and creativity of Web hacks increases, and the damage from these attacks rises exponentially, costing organizations millions every year. Join this webinar to learn about the latest and most insidious Web-based attacks. The much anticipated list, now in its seventh year, represents exhaustive research conducted by a panel of experienced security industry professionals. Learn the latest of the worst in Web hacks, and how to protect your organization.

Top 10 Web Hacks 2012

Matt Johansen

W3 conf hill-html5-security-realities

Brad Hill

Remember that time where setting up a login page was easy? It seems like nowadays, it take many weeks to start a project just to create a signup form, a login form and a forget password screen. And that is if you don’t need 2 factor authentication or passwordless authentication. During this presentation, the attendees will be introduced to OpenID and OAuth. They will also learn how to leverage this to create secure application or, most importantly, how to delegate to a third party so they can focus on their real work.

I Don't Care About Security (And Neither Should You)

Joel Lord

The screencast of this presentation can be found at https://youtu.be/o3uy7dgG_n4 There is an assumption in the industry, amongst companies large and small alike, that if they store sensitive user data (and sometimes do some mild encryption) in their database, it's locked in and secured from potential attacks. People rely too heavily on their false assumptions of security, and it usually ends up costing them extensively when that is proven wrong. In this session, Jonathan will build a foundation for identity and data security that everyone dealing with sensitive data should understand. We'll break down concepts of identity security, common attack vectors and how to protect yourself, and how to harden your web application.

PHP Identity and Data Security

Jonathan LeBlanc

Web enabled systems are now an integral part of everything we interact with, from microelectronics to voice enabled hardware, from text messages and phone calls to email, and really we’re just limited by our imaginations as to what we can connect. As we explore vast new realms of communication over mixed digital media, we have to ask ourselves how we protect our critical data within potential unsecure environments. Going beyond that, how do we protect some of our more critical data, payment information, in this same realm. As we look at a multitude of different environments, we’ll be exploring how to secure user identity and payment information through the communication channels, covering topics like: * Securing identity and payment data through voice commands or text. * Tokenization and encryption security. * Techniques for triggering secure transactions from communications media. At the end of the session, we’ll have a stronger understanding of proper techniques for working with new communication media sources, and see how we can apply fundamental security precepts in potentially insecure environments.

Secure Payments Over Mixed Communication Media

Jonathan LeBlanc

Java Session

AathikaJava

Insecurity-In-Security version.1 (2010)

Abhishek Kumar

What's hot (19)

Json web token

Json web token api authorization

What are JSON Web Tokens and Why Should I Care?

iMasters Intercon 2016 - Identity within Microservices

Securing Single Page Applications with Token Based Authentication

Token Based Authentication Systems

Architecting Secure and Compliant Applications with MongoDB

Protecting Java Microservices: Best Practices and Strategies

OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen

Javascript Object Signing & Encryption

Applying Security Controls on REST APIs

Ignite Talk: I AM a robot, how do I log in?

Top 10 Web Hacks 2012

W3 conf hill-html5-security-realities

I Don't Care About Security (And Neither Should You)

PHP Identity and Data Security

Secure Payments Over Mixed Communication Media

Java Session

Insecurity-In-Security version.1 (2010)

Viewers also liked

Web 2.0 - From a Social to a Service Web

Jury Konga

PHP Experience 2016 - [Palestra] Keynote: PHP-7

iMasters

PHP Experience 2016 - [Workshop] Deploy escalável na Amazon AWS

iMasters

PHP Experience 2016 - [Palestra] Melhorando a comunicação da API através de DSL

iMasters

PHP Experience 2016 - [Palestra] Autenticação em APIs

iMasters

Waw - Gas

impactaeventos

PHP Experience 2016 - [Workshop] APIs bem desenhadas como base para integrações

iMasters

Boas práticas de API Design

Caio Ribeiro Pereira

PHP Experience 2016 - [Workshop] Agile: Test Driven Development

iMasters

PHP Experience 2016 - [Palestra] Rumo à Certificação PHP

iMasters

In this last years a lot of high traffic web sites have been built in PHP. One of the main problem to design a distributed PHP architecture is how to share session data between multiple servers. In this presentation we showed the most used solutions to scale a PHP application along multiple servers. We presented different solutions to share session data using open source solutions (nfs, databases, memcached, redis, etc). Moreover we talk about Zend Server Cluster Manager, an enterprise ready Web Application Server for running and managing an HA Cluster of PHP servers.

How to scale PHP applications

Enrico Zimuel

Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani

vvaswani

PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP

iMasters

This talk is about how to secure your frontend applications using a RESTful approach. As opposed to traditional and monolithic server-side applications, when your frontend application is running on a browser and not securely from the server, there are few things you need to consider. We will explore standards like OAuth or JWT to achieve a stateless, token-based authentication using frameworks like Angular JS on the frontend and Spring Security on the backend. Note: images are courtesy of Shutterstock.com

Stateless token-based authentication for pure front-end applications

Alvaro Sanchez-Mariscal

What I learnt: Elastic search & Kibana : introduction, installtion & configur...

Rahul K Chauhan

React.js has taken the web development world by storm, and for good reason: React offers a declarative, component-oriented approach to building highly-scalable web UIs. But how can we take advantage of a JavaScript library like React in our server-side PHP applications. In this talk l cover the different ways React.js can be integrated into an existing PHP web application: from a client-side only approach to multiple techniques that support full server-side rendering with a Node.js server or PHP’s v8js. I also discuss the trade-offs in each of these designs and the challenges involved with adding React to a PHP site. Most importantly, I consider the higher-level issue of how to improve view cohesion across the client-server divide in a PHP application.

Integrating React.js Into a PHP Application

Andrew Rota

Viewers also liked (16)

Web 2.0 - From a Social to a Service Web

PHP Experience 2016 - [Palestra] Keynote: PHP-7

PHP Experience 2016 - [Workshop] Deploy escalável na Amazon AWS

PHP Experience 2016 - [Palestra] Melhorando a comunicação da API através de DSL

PHP Experience 2016 - [Palestra] Autenticação em APIs

Waw - Gas

PHP Experience 2016 - [Workshop] APIs bem desenhadas como base para integrações

Boas práticas de API Design

PHP Experience 2016 - [Workshop] Agile: Test Driven Development

PHP Experience 2016 - [Palestra] Rumo à Certificação PHP

How to scale PHP applications

Creating REST Applications with the Slim Micro-Framework by Vikram Vaswani

PHP Experience 2016 - [Workshop] Elastic Search: Turbinando sua aplicação PHP

Stateless token-based authentication for pure front-end applications

What I learnt: Elastic search & Kibana : introduction, installtion & configur...

Integrating React.js Into a PHP Application

Similar to PHP Experience 2016 - [Palestra] Json Web Token (JWT)

RoadSec 2017 - Trilha AppSec - APIs Authorization

Erick Belluci Tedeschi

The Uniface Lectures are an ongoing series of free monthly technical webinars that cover a wide range of useful topics. In this edition of the Lectures webinar on Application & Infrastructure Security - JSON Web Tokens we cover the following main topics: • The JWT standard • Applying JWT to Uniface • Uniface technology to support JWT • Sample application of JWT • And more… Session video recording is on: youtube.com/unifacesme Webinar video recording archive: go.uniface.com/Lectures-page

Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...

Uniface

In this presentation, Java Developer Evangelist Micah Silverman demystifies HTTP Authentication and explains how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale. Topics Covered: Security Concerns for Modern Web Apps Cross-Site Scripting Prevention Working with 'Untrusted Clients' Securing API endpoints Cookies Man in the Middle (MitM) Attacks Cross-Site Request Forgery Session ID Problems Token Authentication JWTs Working with the JJWT library End-to-end example with Spring Boot

Securing Web Applications with Token Authentication

Stormpath

Building Secure User Interfaces With JWTs

robertjd

Jwt the complete guide to json web tokens

remayssat

Identity and Access Management - RSA 2017 Security Foundations Seminar

Brian Campbell

Everyone building a web application that supports user login is concerned with security. How do you securely authenticate users and keep their identity secure? With the huge growth in Single Page Applications (SPAs), JavaScript and mobile applications, how do you keep users safe even though these are 'unsafe' client environments? This presentation will demystify HTTP Authentication and explain how the Next Big Thing - Token Authentication - can be used to secure web applications on the JVM, REST APIs, and 'unsafe' clients while supporting security best practices and even improving your application's performance and scale.

Token Authentication for Java Applications

Stormpath

Authorization Using JWTs

ForgeRock Identity Tech Talks

JSON WEB TOKEN

Knoldus Inc.

JWT Authentication with AngularJS

robertjd

Web Attacks - Top threats - 2010

Shreeraj Shah

OWASP Free Training - SF2014 - Keary and Manico

Eoin Keary

Jwt with flask slide deck - alan swenson

Jeffrey Clark

Here you can find the slides that accompany my “SPA Secure Coding Guide”, this presentation go through a set of security best practices specially targeted towards developing Angular applications with ASP.Net Web Api backends. It comes with a WebApi example project available on GitHub that provides several code examples of how to defend yourself. The example app is based on the famous "Tour of Heroes" Angular app used throughout the Angular documentation. It first introduce general threat modelling before explaining the most current type of attacks Asp.Net Web API are vulnerable to . It is designed to serve as a secure coding reference guide, to help development teams quickly understand Asp.Net Core secure coding practices.

Spa Secure Coding Guide

Geoffrey Vandiest

Introduction to JWT and How to integrate with Spring Security

Bruno Henrique Rother

Roberto Bicchierai - Defending web applications from attacks

Pietro Polsinelli

jwt.pdf

kveeru4

Security is hard. Old days are over and it requires way more then providing login form, comparing password hash and maintaining HTTP session. With the raise of mobile and client side apps, (micro) services and APIs it has become a fairly complex topic. At the same time with security breaches hitting the news on the monthly basis it is everyone's concern. Being an area every developer or architect needs to understand very well. Thankfully a number of modern standards and solutions emerged to help with current challenges. During this talk you will learn how to approach typical security needs using modern token based security and standards like OAuth2, OpenID Connect or SAML. We’ll discuss wide variety of security related topics around multi factor authentication or identity federation and brokering . You will also learn how you can leverage modern open source identity and access management solutions in your applications.

[4developers2016] - Security in the era of modern applications and services (...

PROIDEA

Jwt Security

Seid Yassin

Slides from talks at DunDDD and NDCLondon. News stories of security vulnerabilities in mobile apps are becoming more common and their impact risks affecting more and more business and consumers. It doesn't have to be this way. There are solutions to all the common security issues in mobile but sometimes we need to be made aware of what the issues are and how they can be prevented. That's what I'll show in this talk. I'll draw on more than twelve years personal experience building apps for a wide variety of industries and the accumulated knowledge of the OWASP Mobile Security. We'll look at some examples of the common security mistakes apps on iOS, Android and Windows have made and then show practical examples of how to address the issues. You'll leave this session wanting to review the security of your mobile apps but armed with the knowledge to make improvements and fix some security holes.

Is your mobile app as secure as you think?

Matt Lacey

Similar to PHP Experience 2016 - [Palestra] Json Web Token (JWT) (20)

RoadSec 2017 - Trilha AppSec - APIs Authorization

Uniface Lectures Webinar - Application & Infrastructure Security - JSON Web T...

Securing Web Applications with Token Authentication

Building Secure User Interfaces With JWTs

Jwt the complete guide to json web tokens

Identity and Access Management - RSA 2017 Security Foundations Seminar

Token Authentication for Java Applications

Authorization Using JWTs

JSON WEB TOKEN

JWT Authentication with AngularJS

Web Attacks - Top threats - 2010

OWASP Free Training - SF2014 - Keary and Manico

Jwt with flask slide deck - alan swenson

Spa Secure Coding Guide

Introduction to JWT and How to integrate with Spring Security

Roberto Bicchierai - Defending web applications from attacks

jwt.pdf

[4developers2016] - Security in the era of modern applications and services (...

Jwt Security

Is your mobile app as secure as you think?

More from iMasters

O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro

iMasters

Postgres: wanted, beloved or dreaded? - Fabio Telles

iMasters

Durante os anos de experiencia percebi que grande parte dos desenvolvedores possuem dificuldade em iniciar o troubleshooting de suas queries, muitas vezes sobrecarregando o DBA em muitos dos casos com queries simples. O intuito desta palestrar é mostrar o "caminho das pedras" para despertar nos desenvolvedores a necessidade de se conhecer o funcionamento da ferramenta utilizada e visando os desenvolvimentos futuros tendo como foco o pensamento em performance do código escrito e dicas de melhores códigos.

Por que minha query esta lenta? - Suellen Moraes

iMasters

"essa sessão iremos abordar os principais problemas arquiteturais, e suas soluções, que encontro nas mais diversas corporações brasileiras. Desde bancos de dados recebendo 100% de querys Adhoc, CPDs inundados, até servidores que foram metralhados e não possuiam backup. Falaremos sobre arquitetura de dados, boas práticas de backup, alta disponibilidade, disaster recovery, performance, boas práticas de configuraçao e etc."

Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...

iMasters

Com a evolução dos aplicativos nascem novas técnicas, frameworks, linguagens de programação, porém, existe um fato consolidado dentro da arquitetura de software corporativo que é a integração com alguma tecnologia necessária para armazenar as informações inerentes ao sistema. Seja SQL ou NoSQL um ponto importante é que o paradigma das linguagens difere da tecnologia do banco de dados. Com o intuito de facilitar o desenvolvimento surgem as ferramentas que realizam a interpretação entre a camada da aplicação e os bancos. Assim, aparecem grandes desafios: como lidar com essa lacuna multiparadigma? Como favorecer o desenvolvimento sem impactar a performance e a modelagem no banco de dados? O objetivo dessa palestra é falar um pouco desses pontos para que, finalmente, os programadores e os DBAs conseguam viver em paz e harmonia.

ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves

iMasters

SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...

iMasters

Diante das novas regulamentações externas (GDPR), e a nova legislação Brasileira sobre Proteção de Dados Pessoais (LGPD), o que fazer para se adequar? Por Onde começar? O que Fazer? E o que não fazer? Para que serve a Governança de Dados e como ela pode ajudar sua empresa no processo de adequação/conformidade a padrões internacionais de Privacidade e Segurança da Informação? Diante de tantos caminhos e desafios, um overview do que se trata, por onde começar o caminho, algumas armadilhas a evitar, e algumas boas práticas para não apenas se proteger, mas evitar futuros problemas.

Arquitetando seus dados na prática para a LGPD - Alessandra Martins

iMasters

Esta palestra vai abordar qual é o papel do DBA no cenário atual onde processos de machine learning estão cada vez mais presentes nas empresas. O conteúdo discutirá tópicos que tocam em temas como o relacionamento entre o DBA e o cientistas de dados, a gestão dos dados, integração de tecnologias, reciclagem de profissionais e outros fatores que devem ser levados em consideração pelo DBA atual, uma vez que as empresas cada vez mais investem em projetos de machine learning.

O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...

iMasters

Juliana Chahoud - Consultora, ThoughtWorks Com tantas empresas adotando a estratégia "Mobile-First" (dispositivos móveis em primeiro), uma das grandes decisões que um time de desenvolvimento precisa tomar é: qual tech stack usar para mobile? Diversas tecnologias e linguagens podem ser adotadas, como Swift, Java, Kotlin, React Native, Flutter, Progressive Web App, criação de sites responsivos, etc... No entanto, com tantas variáveis a serem consideradas, essa decisão passou a ser não trivial e que pode trazer grandes consequências a longo prazo e até mesmo inviabilizar um projeto. Nessa palestra serão discutidos os prós e contras de diversas abordagens, para que você possa ter um guia para tomar decisões mais corretas no uso dessas tecnologias Palestra apresentada no InterCon 2018 - https://eventos.imasters.com.br/intercon

Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud

iMasters

Andrêza Leite - Professora - UFRPE Model Driven Development(MDD) está se tornando um tópico quente (novamente!). Mas por que MDD? Quais são as vantagens de MDD, MDE, MDA e outros acrônimos relacionados a model-driven? Nesta palestra tentarei responder essa questão listando algumas vantagens e perigos do desenvolvimento orientado a modelos, alinhados ao uso prático destas técnicas para geração de código e esquemas de bancos de dados. Palestra realizada no InterCon 2018 - https://eventos.imasters.com.br/intercon

Use MDD e faça as máquinas trabalharem para você - Andreza Leite

iMasters

Entendendo os porquês do seu servidor - Talita Bernardes

iMasters

Backend performático além do "coloca mais máquina lá" - Diana Arnos

iMasters

Renato Groffe - Engenheiro de Software, Canal .NET O que posso fazer em termos de bancos de dados para obter APIs que executem seu trabalho de forma otimizada e com maior velocidade? Que soluções para cache podem ser empregadas? E que tal tratar os retornos destas APIs, reduzindo o volume dos dados trafegados? E quanto a problemas de performance, o que utilizar para facilitar a detecção destes tipos de ocorrências? Acompanhe esta apresentação para obter respostas a estas questões durante o desenvolvimento de APIs REST. Palestra realizada no InterCon 2018 - https://eventos.imasters.com.br/intercon

Dicas para uma maior performance em APIs REST - Renato Groffe

iMasters

7 dicas de desempenho que equivalem por 21 - Danielle Monteiro

iMasters

Maurício Maujor - Divulgador dos Padrões Web, Maujor.com A acessibilidade é essencial para desenvolvedores e organizações que desejam criar websites e aplicações web de alta qualidade e não excluir pessoas do uso de seus produtos e serviços. Nesta palestra Maujor aborda alguns conceitos de acessibilidade com o objetivo de motivar e conscientizar para a importância de se projetar web com foco em acessibilidade. Palestra apresentada no InterCon 2018 - https://eventos.imasters.com.br/intercon

Quem se importa com acessibilidade Web? - Mauricio Maujor

iMasters

Wellington Figueira da Silva - Sysadmin de Códigos, Easy Com a popularidade dos contêineres ficou mais fácil criar microserviços e mais ágil construir aplicações distribuídas, porém a gerência desses serviços fica muito mais complicada. Mostraremos a ferramenta chamada Istio que nos ajuda com service discovery, com a distribuição de carga, com as rotas, com a detecção e tratamento de falhas, com controle de acesso entre aplicações dentre muitas outras funcionalidades disponíveis. Apresentado no InterCon 2018 - https://eventos.imasters.com.br/intercon

Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva

iMasters

Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti

iMasters

Elasticidade e engenharia de banco de dados para alta performance - Rubens G...

iMasters

Carolina Karklis - Software developer, Magnetis O hype da orientação a objetos passou e com ele precisamos rever algumas práticas. Até mesmo o codebase mais limpo pode ter mensagens de erro precárias, checagens de tipo de dado em excesso, e uso dispensável de variáveis nulas. Nessa talk vou refatorar um sistema frágil e mostrar estratégias dentro do paradigma de orientação a objetos para escrever código de forma mais simples e confiante. No processo, vamos ver padrões de arquitetura de software que podemos usar, como melhorar mensagens para cenários de input inesperado e remover todas as variáveis nulas possíveis do nosso código.

Construindo aplicações mais confiantes - Carolina Karklis

iMasters

Felipe Regalgo - Especialista em Desenvolvimento de Software, Mercado Livre Mostraremos como o Mercado Livre monitora suas aplicações para identificar Bugs, Anomalias e comportamentos fora de padrão esperado. Falaremos sobre sistemas como NewRelic, DataDog, Kibana, OpsGenie e demais ferramentas internas que temos para facilitar e identificar problemas nas centenas de micro-serviços que temos antes mesmo deles chegarem até o usuário final. Apresentado no InterCon 2018 - https://eventos.imasters.com.br/intercon

Monitoramento de Aplicações - Felipe Regalgo

iMasters

More from iMasters (20)

O que você precisa saber para modelar bancos de dados NoSQL - Dani Monteiro

Postgres: wanted, beloved or dreaded? - Fabio Telles

Por que minha query esta lenta? - Suellen Moraes

Relato das trincheiras: o dia a dia de uma consultoria de banco de dados - Ig...

ORMs heróis ou vilões dentro da arquitetura de dados? - Otávio gonçalves

SQL e NoSQL trabalhando juntos: uma comparação para obter o melhor de ambos -...

Arquitetando seus dados na prática para a LGPD - Alessandra Martins

O papel do DBA no mundo de ciência de dados e machine learning - Mauro Pichil...

Desenvolvimento Mobile Híbrido, Nativo ou Web: Quando usá-los - Juliana Chahoud

Use MDD e faça as máquinas trabalharem para você - Andreza Leite

Entendendo os porquês do seu servidor - Talita Bernardes

Backend performático além do "coloca mais máquina lá" - Diana Arnos

Dicas para uma maior performance em APIs REST - Renato Groffe

7 dicas de desempenho que equivalem por 21 - Danielle Monteiro

Quem se importa com acessibilidade Web? - Mauricio Maujor

Service Mesh com Istio e Kubernetes - Wellington Figueira da Silva

Erros: Como eles vivem, se alimentam e se reproduzem? - Augusto Pascutti

Elasticidade e engenharia de banco de dados para alta performance - Rubens G...

Construindo aplicações mais confiantes - Carolina Karklis

Monitoramento de Aplicações - Felipe Regalgo

Recently uploaded

How to Give a Domain for a Field in Odoo 17

Celine George

APM Welcome Tuesday 30 April 2024 APM North West Network Conference, Synergies Across Sectors Presented by: Professor Adam Boddison OBE, Chief Executive Officer, APM Conference overview: https://www.apm.org.uk/community/apm-north-west-branch-conference/ Content description: APM welcome from CEO The main conference objective was to promote the Project Management profession with interaction between project practitioners, APM Corporate members, current project management students, academia and all who have an interest in projects.

APM Welcome, APM North West Network Conference, Synergies Across Sectors

Association for Project Management

1029 - Danh muc Sach Giao Khoa 10 . pdf

QucHHunhnh

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

christianmathematics

fourth grading exam for kindergarten in writing

TeacherCyreneCayanan

Nutritional Needs Presentation - HLTH 104

misteraugie

The basics of sentences session 2pptx copy.pptx

heathfieldcps1

The global implications of DORA and NIS 2 Directive are significant, extending beyond the European Union. Amongst others, the webinar covers: • DORA and its Implications • Nis 2 Directive and its Implications • How to leverage directive and regulation as a marketing tool and competitive advantage • How to use new compliance framework to request additional budget Presenters: Christophe Mazzola - Senior Cyber Governance Consultant Armed with endless Excel files, a meme catalog worthy of the best X'os (formerly twittos), and a risk register to make your favorite risk manager jealous, I swapped my computer scientist cape a few years ago for that of a (cyber) threat hunter with the honorary title of CISO. Ah, and I am also a quadruple senior certified ISO27001/2/5, Pas mal non ? C'est francais. Malcolm Xavier Malcolm Xavier has been working in the Digital Industry for over 18 Years now. He has worked with Global Clients in South Africa, United States and United Kingdom. He has achieved Many Professional Certifications Like CISSP, Google Cloud Practitioner, TOGAF, Azure Cloud, ITIL v3 etc. His core competencies include IT strategy, cybersecurity, IT infrastructure management, data center migration and consolidation, data protection and compliance, risk management and governance, and IS program development and management. Date: April 25, 2024 Tags: Information Security, Digital Operational Resilience Act (DORA) ------------------------------------------------------------------------------- Find out more about ISO training and certification services Training: Digital Operational Resilience Act (DORA) - EN | PECB NIS 2 Directive - EN | PECB Webinars: https://pecb.com/webinars Article: https://pecb.com/article Whitepaper: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION

Beyond the EU: DORA and NIS 2 Directive's Global Impact

PECB

Unit-IV- Pharma. Marketing Channels.pptx

VishalSingh1417

Introduction to Nonprofit Accounting: The Basics

TechSoup

Mattingly "AI & Prompt Design: The Basics of Prompt Design"

National Information Standards Organization (NISO)

Web & Social Media Analytics Previous Year Question Paper.pdf

Jayanti Pande

Accessible design: Minimum effort, maximum impact

dawncurless

Measures of Dispersion and Variability: Range, QD, AD and SD

Thiyagu K

microwave assisted reaction. General introduction

Maksud Ahmed

Application orientated numerical on hev.ppt

RamjanShidvankar

Basic Civil Engineering notes first year Notes Building notes Selection of site for Building Layout of a Building What is Burjis, Mutam Building Bye laws Basic Concept of sunlight ventilation in building National Building Code of India Set back or building line Types of Buildings Floor Space Index (F.S.I) Institutional Vs Educational Building Components & function Sills, Lintels, Cantilever Doors, Windows and Ventilators Types of Foundation AND THEIR USES Plinth Area Shallow and Deep Foundation Super Built-up & carpet area Floor Area Ratio (F.A.R) RCC Reinforced Cement Concrete RCC VS PCC

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx

Denish Jangid

Z Score,T Score, Percential Rank and Box Plot Graph

Thiyagu K

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"

National Information Standards Organization (NISO)

Seal of Good Local Governance (SGLG) 2024Final.pptx

negromaestrong

Recently uploaded (20)

How to Give a Domain for a Field in Odoo 17

APM Welcome, APM North West Network Conference, Synergies Across Sectors

1029 - Danh muc Sach Giao Khoa 10 . pdf

Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...

fourth grading exam for kindergarten in writing

Nutritional Needs Presentation - HLTH 104

The basics of sentences session 2pptx copy.pptx

Beyond the EU: DORA and NIS 2 Directive's Global Impact

Unit-IV- Pharma. Marketing Channels.pptx

Introduction to Nonprofit Accounting: The Basics

Mattingly "AI & Prompt Design: The Basics of Prompt Design"

Web & Social Media Analytics Previous Year Question Paper.pdf

Accessible design: Minimum effort, maximum impact

Measures of Dispersion and Variability: Range, QD, AD and SD

microwave assisted reaction. General introduction

Application orientated numerical on hev.ppt

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx

Z Score,T Score, Percential Rank and Box Plot Graph

Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"

Seal of Good Local Governance (SGLG) 2024Final.pptx

PHP Experience 2016 - [Palestra] Json Web Token (JWT)

1. JSON WEB TOKEN

2. Ivan Rosolen Graduado em Sistemas de Informação Pós-graduado em Gerência de Projetos Desenvolvedor a 15+ anos Autor de vários PHPT (testes para o PHP) Entusiasta de novas tecnologias Head of Innovation @ Arizona CTO @ Mokation

3. @ivanrosolen

4. Authentication

5. - Form Request Post/Get - OAuth - Key/Hash - Credenciais em plain text - Session Cookies

6. - Data is stored in plain text on the server - Filesystem read/write requests - Distributed/clustered applications - Redis/Sticky sessions

7. API

8. - Stateless authentication (simplifies horizontal scaling) - Prevent (mitigate) Cross-Site Request Forgery (CSRF) attacks. - Security (https) - Authorization: Bearer

9. - Authentication vs. Authorization - 401 unauthorized / 403 forbidden - JWT != ACL

10. JOSE

11. - JWT - JWS - JWA - JWK - JWE JSON Object Signing and Encryption

12. Advantages

13. - JSON Web Tokens work across different programming languages - JWTs are self-contained - JWTs can be passed around easily and secure - Better control like “one time token” to forgot password, confirm user, request rates, access, etc. - One token to rule them all (Stateless)

14. Anatomy

15. header.claims.signature

16. Header { "typ": "JWT", "alg": "HS256" }

17. Claims - iss: The issuer of the token - sub: The subject of the token - aud: The audience of the token - exp: This will probably be the registered claim most often used. This will define the expiration in NumericDate value. The expiration MUST be after the current date/time. - nbf: Defines the time before which the JWT MUST NOT be accepted for processing - iat: The time the JWT was issued. Can be used to determine the age of the JWT - jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token. http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond

18. Payload / Claims { "iss": "ivanrosolen.com", "exp": 1300819380, "name": "Ivan Rosolen", "admin": true }

19. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 .

20. JWS - header - claims payload base64(header) . base64(claims)

21. JWA - secret (hmac sha256, rsa256 ....) - encrypt payload with key ‘Xuplau’

22. Signature var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload); HMACSHA256(encodedString, 'Xuplau');

23. JWT eyJ0eXAiOiAiSldUIiwiYWxnIjogIkhTMjU2In0= . eyJpc3MiOiAiaXZhbnJvc29sZW4uY29tIiwiZXhwIjogMTMwM DgxOTM4MCwibmFtZSI6ICJJdmFuIFJvc29sZW4iLCJhZG1pbiI 6IHRydWV9 . M2FjZTM0M2ZiNjhhMzBiOWNiYTkxN2U1Zjk4YjUxOWYzMT Y3NGZlMmU4MTIzYjU1NTRkMjNlNjYzOTkyZGU2Nw==

24. Screencast Utilizando PHP será explicado como gerar de forma manual (sem uso de qualquer biblioteca) um JSON Web Token, que pode ser utilizado para compartilhar informações entre aplicações e autorizar o portador do token a acessar dados protegidos. https://www.youtube.com/watch?v=k3KfK0ZS_FY

25. Warning!

26. Code

27.

28.

29. Github - Session - JWT - JOSE

30. Refs

31. Github https://github.com/ivanrosolen/crud-demo JWT https://github.com/dwyl/learn-json-web-tokens http://jwt.io https://developer.atlassian.com/static/connect/docs/latest/concepts/understanding-jwt.html http://stackoverflow.com/questions/20588467/how-to-do-stateless-session-less-cookie-less-authentication Talks http://www.slideshare.net/erickt86/secureapi http://www.slideshare.net/lcobucci/jwt-to-authentication-and-beyond Luís Otávio Cobucci Oblonczyk https://github.com/lcobucci/jwt https://github.com/Ocramius/PSR7Session

32. ????

33. OBRIGADO! Visite phpsp.org.br https://joind.in/talk/05eb0