token vs cookies (devoxxma 2015)

#DevoxxMA #JWT @madmas Token vs. Cookies JWT – the silver bullet for authen4ca4on in modern applica4on stacks? Markus Schlich4ng

Upload: markus-schlichting

Post on 15-Jan-2017

601 views

Category:

Technology

3 download

Report

Download

Embed Size (px):

TRANSCRIPT

Page 1: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

Token vs. Cookies JWT – the silver bullet for authen4ca4on

in modern applica4on stacks?

Markus Schlich4ng

Page 2: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

About

 Markus Schlichting   Senior So>ware Engineer   Basel, Switzerland   Hackergarten Basel

 [email protected]

  @madmas

Page 3: Token vs Cookies (DevoxxMA 2015)

Creden4als

#DevoxxMA #JWT @madmas

Cookies & Sessions

Valida4on, Create Session

Store in Session Cookie

Session informa4on

Check session, grant access

Send session inf. with every request

Session Store

hKps://app.yoursite.ma hKps://app.yoursite.ma

Page 4: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

Cookies & Sessions

• load balancing requires shared session pool

• separate services need to sync via session pool

• cross origin resource sharing (CORS )

• CSRF vulnerabili4es

• other clients than browsers?

Page 5: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

JSON Web Token

JSON Web Tokens are an open, industry standard (RFC 7519) method for represenCng claims securely between

two parCes. • relies on other JSON-‐based standards: • JWS (JSON Web Signature) • JWE (JSON Web Encryp4on)

• Libraries widely available ��

Page 6: Token vs Cookies (DevoxxMA 2015)

Creden4als

#DevoxxMA #JWT @madmas

JWT – How?

Valida4on, Create Token

Store Token

Token

Validate token, grant access

Send token with every request

hKps://www.yoursite.ma hKps://api.yoursite.ma

Page 7: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

JWT – What’s inside?

jwt.io

Page 8: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

JWT in ac@on

Demo 4me!

Page 9: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

JWT security aspects

• use on encrypted connec4on only (HTTPS!)

•  avoid URL tokens hKps://yoursite.ma/service/ac4on?token=jwt.goes.here

•  in securing Session Cookies a lot of effort has been made

•  HKpOnly, etc •  be aware of the implica4ons coming with tokens

Page 10: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

JWT summary

• embraces JSON, heavily adopted across many stacks • simple to use, simple to implement • more libs, fewer interoperability issues

• supports both symmetric and asymmetric crypto • majority of use cases solved

•  reduce the dependency between services to a minimum •  shared secret, public/private keys

• help to achieve one basic principle in REST based architecture: State transfer

Page 11: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

Conclusion

• Cookies are not completely overdue, but JWT provide a lot of benefits! • JWT for scalability and flexibility

• Very useful to provide a cross plaDorm API

• ServiceWorkers to ease up handling within the browser

Page 12: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

Thank you!

 Markus Schlichting   Senior So>ware Engineer   Basel, Switzerland   Hackergarten Basel

 [email protected]

  @madmas

Page 13: Token vs Cookies (DevoxxMA 2015)

#DevoxxMA #JWT @madmas

Resources

• RFC 7519 -‐ JSON Web Token (JWT) • Dwyl/learn-‐json-‐web-‐tokens • Auth0: 10 Things You Should Know about Tokens • Does JWT put you webapp at risk? • Make your REST services aKack proof – Alex Soto Bueno

Pete Freitag, Foundeo Inc. foundeo€¦ · Remember Me Cookies • Not recommended for high security apps • Don't base the token on the password • Charles Miller Approach •

ESMART Token metal eng electr - ISBC Token... · ESMART Token - hardware means for authentication, electronic signatures and data protection. ESMART Token is a trusted key carrier,

Cornmeal Cookies, Cranberry Cornmeal Cookies, Feast Day Cookies, Amish Cookies, Cape Cod

LAN ETHERNET(TRADITIONAL, FAST, GIGABIT, TOKEN BUS, TOKEN RING)

Building JavaScript and mobile/native Clients for Token ... · •Cookies are the typical approach for server-side applications –But not appropriate for modern JavaScript apps •Modern

DreamTeam Token Sale Token Sale Agreement · 2020-05-06 · DreamTeam Token Sale Token Sale Agreement Last Updated: April 12, 2018 This Token Sale Agreement of DreamTeam Token Sale

OIO OIDC profiles 0 · Server and a Refresh Token also used with the Token Server. • The App can subsequently exchange the Access Token for a Service Token with the Token Server–

Chocolate Chip Cookies. Do you know chocolate chip cookies?

Token User Guide - Questsupport-public.cfm.quest.com/43573_OneIdentity... · Renaming a token 10 Deleting a token 10 Viewing token details 11 Uninstalling Soft Token for Android 11

Token statt Cookies dank JWT - #ETKA16

PENGGUNAAN TOKEN REINFORCEMENT SYSTEM … · sistem token efektif dalam pengendalian perilaku. Meskipun terdapat token reinforcement system. token reinforcement system. adaptif anak

Cookies and Cups Whoopie Pie Cake - Cookies and Cups

@let@token Français 415 - @let@token 24 janvier 2020

Test Token

GitHub Pages · 2020. 7. 23. · +"3 %token LPAREN RPAREN SEMISEMI %token PLUS MULT LT %token IF THEN ELSE TRUE FALSE %token INTV %token ID %start toplevel

Token and Taboo_ Behavior Modification Token Economies and The

Visa Token Service - Cloud Token Framework Fact Sheet

Tokenization - MeaWallet · support card tokenization. Token 1 Token 2 Token 3 Token Token Introduction A significant benefit of tokenization is the fact that a token is only valid

Day Healthy by MWH: Oatmeal Cookies, BuckWheat Cookies, Brown Rice Cookies

· cookies 5 6 8 9 10 12 13 14 15 16 18 19 20 21 Brownie Roll-out Cookies Chocolate Chip Cheesecake Cookies Soft Chocolate Cookies Classic Sugar Cookies

Chocolate Chip Cookies. Chocolate chip cookies They are yummy!

Confronting IPv4 Address Exhaustion - What Content ... · ・ Cookies, including cross-domain cookies and third-party cookies

Cookies and Bars - preterhuman.netcdn.preterhuman.net/texts/recipes/Cookies And Bars.pdf · 2012. 10. 1. · Cookies and Bars Index Aggression Cookies Amandelkrullen Andy's Mom's

Sweeper Whitepaper V.1 · 2020. 11. 27. · SWEET Token SWEET Token Information Token Name SWEET Token Token Symbol SWT Token Symbol Mark Standard ERC-20 (PoS) Total Supply 1,000,000,000

Facts From FirstDec 17, 2015 · Cookies cookies cookies We need cookies for our Carols & Cocoa event on the greenway December 22. Could you bring 2 doz-en cookies? Sign up in the

Blockstack Token Sale Mechanics - CoinList Token Sale Mechanics By Blockstack Token LLC [email protected] DISCLAIMER: The following summary of terms and description of the sale

1 Cookies. 2 Contents Content ----------------------------------------------------2 Cookies ----------------------------------------------------3 Cookies

BGG WhitepaperBGG Whitepaper Official Site: bgogo.com v1.0 Contents Introduction of Bgogo Exchange BGG Token Plan What is BGG BGG Token Distribution Token Distribution Breakdown Token

Devops Recto-Verso @ DevoxxMA

Product catalogue - Hansepet · Cookies snack poultry 11-12 Other innovative products 13 Cookies seaside bone 14 Cookies nature dog chews 15 Cookies Dental-Bones 16 Cookies chewing

· 2018. 7. 8. · Fruit Bars (3) Chess Squares (3) Coffee Cake Chocolate Chip Cookies (3) Plain Sugar Cookies (3) Peanut Butter Cookies (3) Oatmeal Cookies (3) Molasses Cookies

Microservices enough with theory - let's code some! #DevoxxMA

Authentication Devices - hidglobal.com · ActivID OTP Token ActivID USB Token Pocket Token Desktop Token BlueTrust Token ActivKey SIM Product Description Small, durable token with

@let@token @let@token Mestrado em Segurança da …rcorreia/seginforg/11-processos_comunicacao.pdf@let@token @let@token Mestrado em Segurança da Informação e Direito no Ciberespaço