Introducci贸n a OAuth 2.0 y OIDC
驴Qu茅 aprenderas en este curso?
驴Qu茅 es la autenticaci贸n?
驴Qu茅 es la autorizaci贸n?
驴Por qu茅 son importantes OAuth y OIDC?
Preview: protecci贸n de un endpoint
OAuth 2.0 y OIDC en acci贸n
JSON Web Tokens
驴Qu茅 es un JSON Web Token?
Sesiones vs. Tokens
Firmando un JSON Web Token
Verificando un JSON Web Token
Quiz: JSON Web Tokens
Open Authorization 2.0
驴Qu茅 es OAuth 2.0?
Flujos en OAuth 2.0
驴C贸mo elegir el flujo adecuado?
Spotify: Authorization Code Flow
Twitter: Authorization Code Flow with PKCE
Twitch: Implicit Grant Flow
Discord: Client Credentials Grant
Auth0: Resource Owner Password Flow
Quiz: Open Authorization 2.0
Open ID Connect
驴Qu茅 es OpenID Connect?
Auth0: Implicit Flow with Form Post
Curity: Hybrid Flow
Quiz: Open ID Connect
OAuth y OIDC en producci贸n
驴Cu谩ndo no son convenientes los JWT?
驴Qu茅 debo tener en cuenta al usar OAuth 2.0?
Autenticaci贸n en minutos con NextAuth
Toma el Curso Pr谩ctico de Auth0
You don't have access to this class
Keep learning! Join and start boosting your career
Signing a JSON Web Token (JWT) is an essential process to guarantee the authenticity and integrity of data transferred in web applications. Using the jsonwebtoken library, we can implement a signing system in three fundamental steps: define the payload, choose the appropriate algorithm and sign the token with a secret or private key. This implementation is crucial to protect your endpoints and ensure secure data communication.
sub, name and exp. Using the verified user information is vital for its correct creation.Before proceeding to signing, it is vital to structure the payload correctly. Here is an example of how this could be done:
const user = /* We assume the user is previously defined and verified */;const payload = { sub: user.id, // Subject is usually the user ID name: user.full_name, // We use the full name since we don't have a 'name' field exp: Math.floor(Date.now() / 1000) + (60 * 1) // Expiration in 1 minute};To sign the token, we first import the jsonwebtoken library and then use the sign method:
const jwt = require('jsonwebtoken');const secret = process.env.SECRET_KEY; // A good practice is to use environment variables
const token = jwt.sign(payload, secret);secretsecret is a long random string.secret and other sensitive data.secret or private key in the repository.To verify that the server and endpoints are working properly, first verify access to the public endpoint:
public to confirm that the server is running.token to obtain the signed JWT.A great exercise would be to perform this same implementation of signing a JWT in another programming language other than Node.js. This will not only help you broaden your skills, but also help you understand the differences between implementations in different environments.
Go ahead and put your knowledge into practice, explore new languages and keep improving your skills in web application programming and security!
Contributions 4
Questions 2
Adjunto los codigos que uso en python para la creaci贸n de los tokens en FastAPI.
# Esta funci贸n firma los tokens
def signJWT(email: str, perfil: int):
payload = {
"userID": email,
"perfilID": perfil,
"expiry": time.time() + 600
}
token = jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
return token_response(token)
//Using C# Net7
using Microsoft.IdentityModel.Tokens;
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
namespace PlayOauth
{
public class JwtHandler
{
private readonly string secretKey;
public JwtHandler(string secretKey)
{
this.secretKey = secretKey;
}
public string GenerateToken(string username, int expirationMinutes = 60)
{
var key = Encoding.ASCII.GetBytes(secretKey);
var tokenHandler = new JwtSecurityTokenHandler();
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, username),
}),
Expires = DateTime.UtcNow.AddMinutes(expirationMinutes),
SigningCredentials = new SigningCredentials(new SymmetricSecurityKey(key), SecurityAlgorithms.HmacSha256Signature)
};
var token = tokenHandler.CreateToken(tokenDescriptor);
return tokenHandler.WriteToken(token);
}
}
}
private async Task<Tuple<string, string>> GenerateToken(IdentityUser user)
{
var jwtTokenHandler = new JwtSecurityTokenHandler();
var symmetricSecurityKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(_jwtSettings.Key));
var userClaims = await _userManager.GetClaimsAsync(user);
var roles = await _userManager.GetRolesAsync(user);
var roleClaims = new List<Claim>();
foreach (var item in roles)
{
roleClaims.Add(new Claim(ClaimTypes.Role, item));
}
var tokenDescriptor = new SecurityTokenDescriptor
{
Subject = new ClaimsIdentity(new[]
{
new Claim("Id",user.Id),
new Claim(JwtRegisteredClaimNames.Email,user.Email),
new Claim(JwtRegisteredClaimNames.Sub,user.UserName),
new Claim(JwtRegisteredClaimNames.Jti,Guid.NewGuid().ToString()),
}.Union(userClaims)
.Union(roleClaims)
),
Expires = DateTime.UtcNow.Add(_jwtSettings.ExpireTime),
SigningCredentials = new SigningCredentials(symmetricSecurityKey, SecurityAlgorithms.HmacSha256Signature)
};
var token = jwtTokenHandler.CreateToken(tokenDescriptor);
var jwtToken = jwtTokenHandler.WriteToken(token);
var refreshToken = new RefreshToken
{
JwtId = token.Id,
IsUsed = false,
IsRevoked = false,
UserId = user.Id,
CreatedDate = DateTime.UtcNow,
ExpireDate = DateTime.UtcNow.AddMonths(6),
Token = $"{GenerateRandomTokenCharacters(35)}{Guid.NewGuid()}"
};
await _cleanArchitectureIdentityDbContext.RefreshTokens!.AddAsync(refreshToken);
await _cleanArchitectureIdentityDbContext.SaveChangesAsync();
return new Tuple<string, string>(jwtToken, refreshToken.Token);
}
Want to see more contributions, questions and answers from the community?