Wednesday, June 3, 2015

PHP Authorization with JWT (JSON Web Tokens)

If you like computer security topics, you will know that one of the most discussed and controversial topics is user authentication. Within its context, you will find a broad range of study areas, from new mechanisms to usability. It is, thus, to my surprise that JSON Web Tokens is a topic not often talked about, and I think it deserves to be in the spotlight today. We will see how easy it is to integrate it in an API authentication mechanism.

Key icon

Versus Sessions

There was a time when the only way to authenticate yourself into an application was by giving out credentials. Later came service APIs and sending out credentials in plain text was unacceptable. The idea of API tokens came up and nowadays, they are a common practice.

Some of the disadvantages of giving out credentials to an application and maintaining a user’s state in relation to the application with session cookies are:

  • Data is stored in plain text on the server
    • Even though the data is usually not stored in a public folder, anyone with access can read the contents of the session files.
  • Filesystem read/write requests
    • Every time a session starts or its data is modified, the server needs to update the session file. The same goes for every time the application sends a session cookie. You will end up with a slow server if you have a considerable amount of users, unless you use alternative session stores.
  • Distributed/clustered applications
    • Since the session files are stored in the file system by default, it is hard to have a distributed or clustered infrastructure for high availability applications that require the use of load balancers, clustered servers, etc… Other storage media and special configurations have to be made.

When dealing with service APIs that have restricted service calls, you will need to add your key to every request made (either in the request header, such as Authorization, or in the URL query string). API keys commonly rely on a centralized mechanism to control them. So if you want to mark an API key as invalid, it has to be revoked on the application side.

Continue reading %PHP Authorization with JWT (JSON Web Tokens)%


by Miguel Ibarra Romero via SitePoint
Posted by at
Labels: , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)