Upload
-
View
302
Download
0
Embed Size (px)
Citation preview
Close Encounters of
Modern Architecture #1
- CDN and JWT -
2016-10-07
eurie Inc. Takahiro Ikeuchi
© 2016 eurie Inc.
AgendaSPA with Amazon CloudFront
REST API with Amazon CloudFront
JWT, Try for more state less
© 2016 eurie Inc. 2
AuthorTakahiro Ikeuchi @iktakahiro
Company / Community
eurie Inc. Founder & CEO
SQUEEZE Inc. Tech Adviser
PyData.Tokyo Organizer
Specialties (or just a dabbler :-D
Go lang, Python, React.js, TypeScript
Cloud Infrastructure, UI Design etc...
© 2016 eurie Inc. 3
ConclusionI recommend that you adopt CDN to deliveryour Single Page Application.
Amazon CloudFront + S3 is a good solution.
You may deploy CDN in front of your ServerSide Application to improve the performance.
JWT is handiness and secure. You have to useJWT and Local storage instead of Cookie.
© 2016 eurie Inc. 4
We Love:RESTful API
Go lang (framework: echo)
Single Page Application
React.js + Typescript
Elasticsearch
AWS Aurora, Lambda, CloudFront, WAF...
Codeship.com
© 2016 eurie Inc. 5
SPA with Amazon CloudFront
© 2016 eurie Inc. 6
© 2016 eurie Inc. 7
Focus: Applications
© 2016 eurie Inc. 8
What is Amazon CloudFront
CDN = Contents Delivery Network
Competitors: Akamai, Fastly,Google Cloud CDN
Edge locations around the world
Integration with Amazon S3
https://aws.amazon.com/cloudfront/
© 2016 eurie Inc. 9
Why Amazon CloudFront ?
High Availability
Fast Network
HTTP/2.0
Free SSL Certi�cation (only SNI)
Cache Control System
© 2016 eurie Inc. 10
Fast NetworkAmazon CloudFront edge locations are locatedin around the world.(US, Europe, Asia, South Amerca)
https://aws.amazon.com/cloudfront/details/
© 2016 eurie Inc. 11
HTTP/2.0Amazon CloudFront supports HTTP/2.0
© 2016 eurie Inc. 12
REST API with Amazon CloudFront
© 2016 eurie Inc. 13
© 2016 eurie Inc. 14
Why to deploy CDN in front of ourREST API?
Fast Network
Free SSL Certi�cation (only SNI)
WAF = Web Application Firewall
A REST API also bene�ts from technorogies ofAmazon CloudFront.
© 2016 eurie Inc. 15
Really Fast?See below:
Secured API Acceleration with Engineers fromAmazon CloudFront and Slack
CloudFrontをかますとキャッシュなしのAPIコールでも速くなるようだ - sonots:blog (Japanese)
© 2016 eurie Inc. 16
http://www.slideshare.net/AmazonWebServices/secured-api-acceleration-with-engineers-from-amazon-cloudfront-and-slack 17
JWT, Try for more state less
© 2016 eurie Inc. 18
What is JWT
JSON Web Token
The pronunciation of JWT is the same as"jot". In japanese, "じょっと".
RFC 7519 - JSON Web Token (JWT)
https://jwt.io/
JWT is a token based authentication scheme.
Probably, better approach than Cookie.
© 2016 eurie Inc. 19
JWT Structure
Structure
HEADER.CLAIMS.SIGNATURE
e.g.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
© 2016 eurie Inc. 20
JWT Header
Encoded Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Decoded Token
{ "alg": "HS256", "typ": "JWT"}
JSON -> Base64 URL Encoding -> Token
© 2016 eurie Inc. 21
JWT Claims (Payload)
Encoded Token
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9
Decoded Token
{ "sub": "1234567890", "name": "John Doe", "admin": true}
© 2016 eurie Inc. 22
Signature
JWT Header and payload are just a JSON. That isto say, it can be built easily by someone.
Solution: JWT contains a signature (JWS)
RFC 7515 - JSON Web Signature (JWS)
(Most) JWT libraries can detect tokenmanipulations.
© 2016 eurie Inc. 23
How to use
Set JWT in HTTP Authorization Header.
Authorization: Bearer {{ JWT }}
RFC 6750 - The OAuth 2.0 AuthorizationFramework: Bearer Token Usage
© 2016 eurie Inc. 24
JWT Libraries
Python: jpadilla/pyjwt
Node.js: auth0/node-jsonwebtoken
Go lang: dgrijalva/jwt-go
© 2016 eurie Inc. 25
Bene�ts of JWT and Bearer
Cookie-less
A HTTP Request does not force push data ina Local (Session) Storage.
State-less
JWT contains all the required informationabout a user.
A Server-Side Application does not have tomanage a session. (But if you need a high-security requirement, consider it.)
© 2016 eurie Inc. 26
Secure
A Protection from token manipulations.
Signing Algorithms: RSA, ECDSA
Many libraries supports JWT.
© 2016 eurie Inc. 27
ConclusionI recommend that you adopt CDN to deliveryour Single Page Application.
Amazon CloudFront + S3 is a good solution.
You may deploy CDN in front of your ServerSide Application to improve the performance.
JWT is handiness and secure. You have to useJWT and Local storage instead of Cookie.
© 2016 eurie Inc. 28