Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Death To Cookies: Long Live JSON Web Tokens

Martin Gontovnikas
November 13, 2014
Technology
0
910

Death To Cookies: Long Live JSON Web Tokens

Cookies have been around for decades and have served us well. Nobody questions their usefulness. However, modern apps demand a better approach. This session is all about the natural successor to cookies: using a token-based design. Tokens help build apps that are assembled on multiple stacks, that use your own and 3rd party APIs, that run on-premises and the cloud. They help easily “flow” user identity across all layers and security contexts, regardless of how they authenticated. And they help you deal with CORS and XSRF. Join a code session in which we’ll implement a token-based app using AngularJs and an API.

Martin Gontovnikas

November 13, 2014
Tweet

More Decks by Martin Gontovnikas

See All by Martin Gontovnikas
Make your SPA a maximum security prison - ConFoo Version
mgonto
2
350
Intro to JWT
mgonto
1
1.3k
Make your SPA a maximum security prison
mgonto
2
3.2k
Models and Rest APIs on AngularJS with Restangular
mgonto
5
6.3k
Reactive Angular
mgonto
11
2.3k

Other Decks in Technology

See All in Technology
シン・Kafka / shin-kafka
oracle4engineer
PRO
6
2.7k
Next'24 事例セッションの紹介とクラウド資格を活用したキャリア形成について語りMuscle
yasumuusan
0
270
0→1開発における技術選定において一番大切なこと
bicstone
1
320
Tebiki株式会社 エンジニア採用資料
tebiki
0
4.1k
PHP"オレ"カンファレンスの告知
ysknsid25
0
320
入社後初めてのタスクでk8sアップグレードした話.pdf
kkato1
0
380
Amplify Gen2を 拡張してみよう JAWS-UG北陸新幹線 ( 福井開催 ) 2024-04-06/Let's extend Amplify Gen2
fossamagna
0
280
A (short) History of AI
harishpillay
0
110
検証を通して見えてきたTiDBの性能特性
lycorptech_jp
PRO
5
2.4k
DevOpsDays History and my DevOps story
kawaguti
PRO
7
1.4k
Databricksを活用してDELISH KITCHENのレシピレコメンドを開発した話
furu8
0
250
WebアプリケーションにおけるPDOの使い方入門 / phpcon odawara 2024
meihei3
2
420

Featured

See All Featured
10 Git Anti Patterns You Should be Aware of
lemiorhan
645
57k
Optimizing for Happiness
mojombo
369
69k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
Designing on Purpose - Digital PM Summit 2013
jponch
110
6.4k
Unsuck your backbone
ammeep
662
57k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
15
1.4k
KATA
mclloyd
14
12k
StorybookのUI Testing Handbookを読んだ
zakiyama
10
4.6k
Embracing the Ebb and Flow
colly
78
4.1k
Product Roadmaps are Hard
iamctodd
43
9.7k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
320
20k

Transcript

  1. Death to Cookies Long Live JSON Web Tokens

  2. CTO & Founder Auth0 @woloski @mgonto Dev Advocate Auth0

  3. Identity made simple for developers

  4. The Following SESSION is Rated R for Live Coding on

    Stage it has been approved for ALL Developers

  5. Authentication for Modern Applications using Tokens angular-­‐storage
 angular-­‐jwt   jwt-­‐decode

  6. Browser Web Server auth C C Most of the web

  7. Browser Web Server (PHP) Realtime (Node) C M modern apps

  8. Browser Web Server (PHP) Realtime (Node) C M Cookies are

    coupled to the web framework modern apps

  9. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A Phones Tablets A modern apps

  10. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A APIs don’t use Cookies Phones Tablets A modern apps

  11. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A Phones Tablets A modern apps

  12. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A AWS S3 S Phones Tablets A modern apps

  13. Browser Web Server (Python) Realtime (Node) C M API (Ruby)

    API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps

  14. A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30

  15. auth0/angularjs-jwt-authentication-tutorial Demo time! auth0/spa-jwt-authentication-tutorial

  16. TouchID Ask User to Login with TouchID Is Private Key

    on KeyChain? Generate Key Pair and store in KeyChain Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No

  17. auth0/TouchIDAuth pod “TouchIDAuth”

  18. Browser modern apps Web Server (Python) Realtime (Node) API (Ruby)

    API (Node) AWS S3 Phones Tablets

  19. Win a Drone with JWTs! auze.ro/win-drone

  20. T-shirts Bitcoins Stickers Drones Thanks!

  21. Appendix

  22. None
  23. None

  24. Token expires, deal with refresh

  25. Confidential info, encrypt it

  26. Social auth

  27. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

  28. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)