Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Death To Cookies: Long Live JSON Web Tokens

Martin Gontovnikas
November 13, 2014
Technology
0
960

Death To Cookies: Long Live JSON Web Tokens

Cookies have been around for decades and have served us well. Nobody questions their usefulness. However, modern apps demand a better approach. This session is all about the natural successor to cookies: using a token-based design. Tokens help build apps that are assembled on multiple stacks, that use your own and 3rd party APIs, that run on-premises and the cloud. They help easily “flow” user identity across all layers and security contexts, regardless of how they authenticated. And they help you deal with CORS and XSRF. Join a code session in which we’ll implement a token-based app using AngularJs and an API.

Martin Gontovnikas

November 13, 2014
Tweet

More Decks by Martin Gontovnikas

See All by Martin Gontovnikas
Make your SPA a maximum security prison - ConFoo Version
mgonto
2
350
Intro to JWT
mgonto
1
1.3k
Make your SPA a maximum security prison
mgonto
2
3.2k
Models and Rest APIs on AngularJS with Restangular
mgonto
5
6.3k
Reactive Angular
mgonto
11
2.4k

Other Decks in Technology

See All in Technology
データ活用促進のためのデータ分析基盤の進化
takumakouno
2
870
いざ、BSC討伐の旅
nikinusu
2
750
Amplify Gen2 Deep Dive / バックエンドの型をいかにしてフロントエンドへ伝えるか #TSKaigi #TSKaigiKansai #AWSAmplifyJP
tacck
PRO
0
320
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
31
8.9k
私はこうやってマインドマップでテストすることを出す!
mineo_matsuya
0
340
Terraform未経験の御様に対してどの ように導⼊を進めていったか
tkikuchi
2
390
Can We Measure Developer Productivity?
ewolff
1
120
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
190
Terraform CI/CD パイプラインにおける AWS CodeCommit の代替手段
hiyanger
1
200
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
110
フルカイテン株式会社 採用資料
fullkaiten
0
40k
BLADE: An Attempt to Automate Penetration Testing Using Autonomous AI Agents
bbrbbq
0
210

Featured

See All Featured
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
4 Signs Your Business is Dying
shpigford
180
21k
A designer walks into a library…
pauljervisheath
202
24k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
How to Ace a Technical Interview
jacobian
276
23k
Fireside Chat
paigeccino
33
3k
Navigating Team Friction
lara
183
14k
How GitHub (no longer) Works
holman
310
140k
The Cost Of JavaScript in 2023
addyosmani
45
6.7k
GitHub's CSS Performance
jonrohan
1030
460k
It's Worth the Effort
3n
183
27k

Transcript

  1. Death to Cookies Long Live JSON Web Tokens

  2. CTO & Founder Auth0 @woloski @mgonto Dev Advocate Auth0

  3. Identity made simple for developers

  4. The Following SESSION is Rated R for Live Coding on

    Stage it has been approved for ALL Developers

  5. Authentication for Modern Applications using Tokens angular-­‐storage
 angular-­‐jwt   jwt-­‐decode

  6. Browser Web Server auth C C Most of the web

  7. Browser Web Server (PHP) Realtime (Node) C M modern apps

  8. Browser Web Server (PHP) Realtime (Node) C M Cookies are

    coupled to the web framework modern apps

  9. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A Phones Tablets A modern apps

  10. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A APIs don’t use Cookies Phones Tablets A modern apps

  11. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A Phones Tablets A modern apps

  12. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A AWS S3 S Phones Tablets A modern apps

  13. Browser Web Server (Python) Realtime (Node) C M API (Ruby)

    API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps

  14. A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30

  15. auth0/angularjs-jwt-authentication-tutorial Demo time! auth0/spa-jwt-authentication-tutorial

  16. TouchID Ask User to Login with TouchID Is Private Key

    on KeyChain? Generate Key Pair and store in KeyChain Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No

  17. auth0/TouchIDAuth pod “TouchIDAuth”

  18. Browser modern apps Web Server (Python) Realtime (Node) API (Ruby)

    API (Node) AWS S3 Phones Tablets

  19. Win a Drone with JWTs! auze.ro/win-drone

  20. T-shirts Bitcoins Stickers Drones Thanks!

  21. Appendix

  22. None
  23. None

  24. Token expires, deal with refresh

  25. Confidential info, encrypt it

  26. Social auth

  27. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

  28. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)