JSON Web Token Verification in Ktor using Kotlin and Java-JWT

20 November 2017 Kotlin

Ktor

In my previous article, we looked at how to get an access token and use it to access a protected resource, in Kotlin. Now we’re going to take a look at the other side of the story: how to validate an access token (in this case a structured JWT) before allowing access to the protected resource.

For token verification we’re going to:

  1. Get available public keys from a JWKS endpoint
  2. Parse the public key used to sign the receive JWT
  3. Verify the access token signature, issuer, and audience. This will also verify that the token hasn’t expired (the exp claim), that it was issued in the past (the iat claim), and that the token is allowed to be used (the nbf claim)

We’ll then use this logic to protect an API endpoint running on Ktor.

Read more

Experimenting with Kotlin and OAuth

15 November 2017 Kotlin

Kotlin

I’ve recently been picking up Kotlin and, since I work with authentication and authorization protocols on a daily basis, I used a basic OAuth scenario as my learning activity and thought I'd share my journey.

The scenario was to issue an OAuth request, parse the results, and then access a protected resource using the resulting token. This is not using any of the browser based grant types, instead just back end communication using the token endpoint and the client credentials grant type.

I’m not a Java developer, so this use of Kotlin has also been my first experience with that entire eco system. As a result...

Read more

Silent Refresh - Refreshing Access Tokens when using the Implicit Flow

01 November 2017 OpenID Connect

When using the implicit authentication flow refresh tokens cannot be requested or used, since the client application cannot be explicitly or securely authenticated and therefore cannot be trusted with such a sensitive token. This also applies to any flow on a public client incapable of keeping a secret or making secure back channel requests. If a refresh token intended for a such a client was stolen, the thief could use it to request access tokens for that user, without their knowledge or consent.

When using a client application running in the browser, which the OpenID Connect implicit flow was designed for, we expect the user to be present at the client application. They might be currently in a different tab or even on a different application than the browser, but the session is still active. This means that if their access token expires, they should still be around to authorize another to be issued. We’re not expecting the client application to be performing any sort of background tasks or long-running processing.

But what if, for instance, the user was filling out a form in the application and their access token expired?

Read more

Improving the ASP.NET Core Identity Password Hasher

30 October 2017 ASP.NET Identity

The default password hasher for ASP.NET Core Identity uses PBKDF2 for password hashing. Whilst this is a decent enough implementation, there are certainly more desirable password hashing algorithms out there. So that’s exactly what I’ve addressed, with three new password hasher implementations for ASP.NET Core Identity using bcrypt, scrypt, and Argon2.

Default (PBKDF2) Password Hasher

To be precise, the ASP.NET Core Identity uses PBKDF2 with HMAC-SHA256, a 128-bit salt, a 256-bit subkey, and (by default) 10,000 iterations. Luckily this iteration count is now configurable (unlike ASP.NET Identity 2), and realistically you’ll be looking at adding another zero to that iteration count. 10,000 iterations is so 2012.

PBKDF2 is generally considered “good-enough”, assuming...

Read more

Why the Resource Owner Password Credentials Grant Type is not Authentication nor Suitable for Modern Applications

29 August 2017 OAuth

OAuth 2.0

When you ask a consultant if you should use the Resource Owner Password Credentials (ROPC) grant type, the standard response is: “It depends”. Whilst this is true, I’m going to take a stand and say no. Unfortunately, a lot of people see the username & password fields and say “ah! That’s the one for me!”, and I spend way too much of my time trying to convince them it’s a bad idea after they’ve already spent a lot of time implementing it.

So, let’s take a look at the ROPC grant type, why it’s so tempting, and what we can do to convince other developers and stake holders that it is a bad idea.

Read more