Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWTs for CSRF & Microservices

Micah Silverman
September 30, 2017
Programming
0
380

JWTs for CSRF & Microservices

In this talk, I show how to use JWTs in two code examples. The first replaces the standard Spring Security CSRF (cross site request forgery) token mitigation with a JWT version. The second is a basic microservices example that demonstrates how to establish trust between two microservices using JWTs.

References for the source-code, this desk, and other resources can be found at: https://github.com/dogeared/JavaRoadStorm_CactusCon_2017

Micah Silverman

September 30, 2017
Tweet

More Decks by Micah Silverman

See All by Micah Silverman
Beautiful Java SDKs for APIs
dogeared
0
110
Okta + Kong API Gateway with OIDC
dogeared
0
1.2k

Other Decks in Programming

See All in Programming
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
930
ADRを一年運用してみた/adr_after_a_year
hanhan1978
7
2.4k
二郎系ラーメンのコールで学ぶ AST 解析
memory1994
PRO
7
1.7k
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
360
Fragment Composition of GraphQL
quramy
7
970
Netty Chicago Java User Group 2024-04-17
sullis
0
170
検証も兼ねて個人開発でHonoとかと向き合った話
hanetsuki
1
910
TYPO3 v13 – The road to LTS: What's new and new APIs
luisasofie_xoxo
0
200
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
27
8.3k
GitHub Copilotのススメ
marcy731
1
200
VS Code をプロダクトにどう取り込むか
onomax
1
360
Ruby Pattern Matching
bkuhlmann
0
930

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
How to Ace a Technical Interview
jacobian
272
22k
The Cost Of JavaScript in 2023
addyosmani
16
3.9k
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
The Language of Interfaces
destraynor
151
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
659
120k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
6
1.5k
Visualization
eitanlees
136
14k
Building Your Own Lightsaber
phodgson
99
5.7k
Scaling GitHub
holman
457
140k

Transcript

  1. None
  2. None

  3. Welcome! • Agenda • JWT with CSRF & Microservices (40

    mins) • Okta 101 (5 mins) • Q&A (5 mins)
  4. None

  5. encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "." + payload, base64DecodeToByteArray(encodedSecret)

    ) Signature Computation Pseudo-code
  6. None

  7. .signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") ) Short but not Sweet

  8. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256, b64EncodedSecret.getBytes("UTF-8") ) You’re Doing

    it Wrong

  9. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret) ) Supersize that

    Secret!

  10. "Microservices are awesome, but they're not free." - Les Hazlewood

  11. Monolithic SOA AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService AccountService GroupService Database

    Infrastructure

  12. Microservices Database Infrastructure GroupService AccountService AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService

  13. Okta Enables Companies to Do Both IT & API Identity

    & Mobility Service: Identity Management Mobility Management Strong Authentication developer.okta.com Identity API Products: Identity API for Any App Developer Tools and Community Employees, Contractors Partners, Customers

  14. Resources • Repos used in today’s preso: ◦ github.com/jwtk/jjwt ◦

    github.com/dogeared/JavaRoadStorm2016 • https://afitnerd.com/JavaRoadStorm2016/ • JJWT Guest Post on Baeldung - bit.ly/29ZPZAd • OIDC Playground - https://okta-oidc-fun.herokuapp.com • Stormpath Microservices Screencast - bit.ly/29Wi6iw • JWT Inspector - jwtinspector.io • HTTPie - github.com/jkbrzt/httpie • What are Microservices? ◦ martinfowler.com/articles/microservices.html • @afitnerd @OktaDev
  15. None