Close Encounters of

Modern Architecture #1

- CDN and JWT -

2016-10-07

eurie Inc. Takahiro Ikeuchi

© 2016 eurie Inc.

AgendaSPA with Amazon CloudFront

REST API with Amazon CloudFront

JWT, Try for more state less

© 2016 eurie Inc. 2

AuthorTakahiro Ikeuchi @iktakahiro

Company / Community

eurie Inc. Founder & CEO

SQUEEZE Inc. Tech Adviser

PyData.Tokyo Organizer

Specialties (or just a dabbler :-D

Go lang, Python, React.js, TypeScript

Cloud Infrastructure, UI Design etc...

© 2016 eurie Inc. 3

ConclusionI recommend that you adopt CDN to deliveryour Single Page Application.

Amazon CloudFront + S3 is a good solution.

You may deploy CDN in front of your ServerSide Application to improve the performance.

JWT is handiness and secure. You have to useJWT and Local storage instead of Cookie.

© 2016 eurie Inc. 4

We Love:RESTful API

Go lang (framework: echo)

Single Page Application

React.js + Typescript

Elasticsearch

AWS Aurora, Lambda, CloudFront, WAF...

Codeship.com

© 2016 eurie Inc. 5

SPA with Amazon CloudFront

© 2016 eurie Inc. 6

© 2016 eurie Inc. 7

Focus: Applications

© 2016 eurie Inc. 8

What is Amazon CloudFront

CDN = Contents Delivery Network

Competitors: Akamai, Fastly,Google Cloud CDN

Edge locations around the world

Integration with Amazon S3

https://aws.amazon.com/cloudfront/

© 2016 eurie Inc. 9

Why Amazon CloudFront ?

High Availability

Fast Network

HTTP/2.0

Free SSL Certi�cation (only SNI)

Cache Control System

© 2016 eurie Inc. 10

Fast NetworkAmazon CloudFront edge locations are locatedin around the world.(US, Europe, Asia, South Amerca)

https://aws.amazon.com/cloudfront/details/

© 2016 eurie Inc. 11

HTTP/2.0Amazon CloudFront supports HTTP/2.0

© 2016 eurie Inc. 12

REST API with Amazon CloudFront

© 2016 eurie Inc. 13

© 2016 eurie Inc. 14

Why to deploy CDN in front of ourREST API?

Fast Network

Free SSL Certi�cation (only SNI)

WAF = Web Application Firewall

A REST API also bene�ts from technorogies ofAmazon CloudFront.

© 2016 eurie Inc. 15

Really Fast?See below:

Secured API Acceleration with Engineers fromAmazon CloudFront and Slack

CloudFrontをかますとキャッシュなしのAPIコールでも速くなるようだ - sonots:blog (Japanese)

© 2016 eurie Inc. 16

http://www.slideshare.net/AmazonWebServices/secured-api-acceleration-with-engineers-from-amazon-cloudfront-and-slack 17

JWT, Try for more state less

© 2016 eurie Inc. 18

What is JWT

JSON Web Token

The pronunciation of JWT is the same as"jot". In japanese, "じょっと".

RFC 7519 - JSON Web Token (JWT)

https://jwt.io/

JWT is a token based authentication scheme.

Probably, better approach than Cookie.

© 2016 eurie Inc. 19

JWT Structure

Structure

HEADER.CLAIMS.SIGNATURE

e.g.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

© 2016 eurie Inc. 20

JWT Header

Encoded Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Decoded Token

{ "alg": "HS256", "typ": "JWT"}

JSON -> Base64 URL Encoding -> Token

© 2016 eurie Inc. 21

JWT Claims (Payload)

Encoded Token

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

Decoded Token

{ "sub": "1234567890", "name": "John Doe", "admin": true}

© 2016 eurie Inc. 22

Signature

JWT Header and payload are just a JSON. That isto say, it can be built easily by someone.

Solution: JWT contains a signature (JWS)

RFC 7515 - JSON Web Signature (JWS)

(Most) JWT libraries can detect tokenmanipulations.

© 2016 eurie Inc. 23

How to use

Set JWT in HTTP Authorization Header.

Authorization: Bearer {{ JWT }}

RFC 6750 - The OAuth 2.0 AuthorizationFramework: Bearer Token Usage

© 2016 eurie Inc. 24

JWT Libraries

Python: jpadilla/pyjwt

Node.js: auth0/node-jsonwebtoken

Go lang: dgrijalva/jwt-go

© 2016 eurie Inc. 25

Bene�ts of JWT and Bearer

Cookie-less

A HTTP Request does not force push data ina Local (Session) Storage.

State-less

JWT contains all the required informationabout a user.

A Server-Side Application does not have tomanage a session. (But if you need a high-security requirement, consider it.)

© 2016 eurie Inc. 26

Secure

A Protection from token manipulations.

Signing Algorithms: RSA, ECDSA

Many libraries supports JWT.

© 2016 eurie Inc. 27

ConclusionI recommend that you adopt CDN to deliveryour Single Page Application.

Amazon CloudFront + S3 is a good solution.

You may deploy CDN in front of your ServerSide Application to improve the performance.

JWT is handiness and secure. You have to useJWT and Local storage instead of Cookie.

© 2016 eurie Inc. 28