token vs cookies (devoxxma 2015)
TRANSCRIPT
#DevoxxMA #JWT @madmas
Token vs. Cookies JWT – the silver bullet for authen4ca4on
in modern applica4on stacks?
Markus Schlich4ng
#DevoxxMA #JWT @madmas
About
Markus Schlichting Senior So>ware Engineer Basel, Switzerland Hackergarten Basel
@madmas
Creden4als
#DevoxxMA #JWT @madmas
Cookies & Sessions
Valida4on, Create Session
Store in Session Cookie
Session informa4on
Check session, grant access
Send session inf. with every request
Session Store
hKps://app.yoursite.ma hKps://app.yoursite.ma
#DevoxxMA #JWT @madmas
Cookies & Sessions
• load balancing requires shared session pool
• separate services need to sync via session pool
• cross origin resource sharing (CORS )
• CSRF vulnerabili4es
• other clients than browsers?
#DevoxxMA #JWT @madmas
JSON Web Token
JSON Web Tokens are an open, industry standard (RFC 7519) method for represenCng claims securely between
two parCes. • relies on other JSON-‐based standards: • JWS (JSON Web Signature) • JWE (JSON Web Encryp4on)
• Libraries widely available ���
Creden4als
#DevoxxMA #JWT @madmas
JWT – How?
Valida4on, Create Token
Store Token
Token
Validate token, grant access
Send token with every request
hKps://www.yoursite.ma hKps://api.yoursite.ma
#DevoxxMA #JWT @madmas
JWT – What’s inside?
jwt.io
#DevoxxMA #JWT @madmas
JWT in ac@on
Demo 4me!
#DevoxxMA #JWT @madmas
JWT security aspects
• use on encrypted connec4on only (HTTPS!)
• avoid URL tokens hKps://yoursite.ma/service/ac4on?token=jwt.goes.here
• in securing Session Cookies a lot of effort has been made
• HKpOnly, etc • be aware of the implica4ons coming with tokens
#DevoxxMA #JWT @madmas
JWT summary
• embraces JSON, heavily adopted across many stacks • simple to use, simple to implement • more libs, fewer interoperability issues
• supports both symmetric and asymmetric crypto • majority of use cases solved
• reduce the dependency between services to a minimum • shared secret, public/private keys
• help to achieve one basic principle in REST based architecture: State transfer
#DevoxxMA #JWT @madmas
Conclusion
• Cookies are not completely overdue, but JWT provide a lot of benefits! • JWT for scalability and flexibility
• Very useful to provide a cross plaDorm API
• ServiceWorkers to ease up handling within the browser
#DevoxxMA #JWT @madmas
Thank you!
Markus Schlichting Senior So>ware Engineer Basel, Switzerland Hackergarten Basel
@madmas
#DevoxxMA #JWT @madmas
Resources
• RFC 7519 -‐ JSON Web Token (JWT) • Dwyl/learn-‐json-‐web-‐tokens • Auth0: 10 Things You Should Know about Tokens • Does JWT put you webapp at risk? • Make your REST services aKack proof – Alex Soto Bueno