Upgrade to Pro — share decks privately, control downloads, hide ads and more …

JWTs for CSRF and Microservices

Stormpath
August 26, 2016
Programming
0
140

JWTs for CSRF and Microservices

Stormpath Java Developer Evangelist, Micah Silverman, takes a deep dive into using JWTs to protect microservices from CSRF and more. Micah will explain how JWTs can be used to secure web applications built with Java, OAuth2 and JWTs, and 'unsafe' clients, while supporting security best practices and even improving application performance and scale.

Sign up for Stormpath: https://api.stormpath.com/register
More from Stormpath: https://stormpath.com/blog

Stormpath

August 26, 2016
Tweet

More Decks by Stormpath

See All by Stormpath
RESTful API Development for ASP.NET Core
stormpath
0
220
Build a REST API for your Mobile Apps in Node
stormpath
0
56
Secure Your REST API
stormpath
0
190
How to Use Stormpath in Angular.js
stormpath
0
150
Beautiful REST+JSON APIs with Ion
stormpath
0
160
Storing User Files with Express, Stormpath, and Amazon S3
stormpath
0
31
Instant Security & Scalable User Management with Spring Boot
stormpath
0
190
Custom Data Search with Stormpath
stormpath
0
41
Browser Security 101
stormpath
0
47

Other Decks in Programming

See All in Programming
A Journey of Contribution and Collaboration in Open Source
ivargrimstad
0
930
C++でシェーダを書く
fadis
6
4.1k
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
920
Laravel や Symfony で手っ取り早く
OpenAPI のドキュメントを作成する
azuki
2
120
AI時代におけるSRE、
あるいはエンジニアの生存戦略
pyama86
6
1.1k
CSC509 Lecture 12
javiergs
PRO
0
160
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
Jakarta EE meets AI
ivargrimstad
0
560
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
110
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
350
Less waste, more joy, and a lot more green: How Quarkus makes Java better
hollycummins
0
100
LLM生成文章の精度評価自動化とプロンプトチューニングの効率化について
layerx
PRO
2
190

Featured

See All Featured
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
The Web Performance Landscape in 2024 [PerfNow 2024]
tammyeverts
0
93
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Large-scale JavaScript Application Architecture
addyosmani
510
110k
A better future with KSS
kneath
238
17k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
How to Think Like a Performance Engineer
csswizardry
20
1.1k
Faster Mobile Websites
deanohume
305
30k
Producing Creativity
orderedlist
PRO
341
39k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Building an army of robots
kneath
302
43k

Transcript

  1. JWTs for CSRF and Microservices

  2. Welcome! • Agenda • Stormpath 101 (5 mins) • JWT

    with CSRF & Microservices (40 mins) • Q&A (15 mins) • Claire Hunsaker VP of Marketing • Micah Silverman Java Developer Evangelist

  3. Speed to Market & Cost Reduction • Complete Identity solution

    out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance

  4. Stormpath User Management User Data User Workflows Google ID Your

    Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML

  5. Let’s talk about CSRF!

  6. encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "." + payload, base64DecodeToByteArray(encodedSecret)

    ) Signature Computation Pseudo-code

  7. JWT Secret Anti-Patterns

  8. .signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") ) Short but not Sweet

  9. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256, b64EncodedSecret.getBytes("UTF-8") ) You’re Doing

    it Wrong

  10. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret) ) Supersize that

    Secret!

  11. "Microservices are awesome, but they're not free." - Les Hazlewood,

    Stormpath CTO

  12. Monolithic SOA AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService AccountService GroupService Database

    Infrastructure

  13. Microservices Database Infrastructure GroupService AccountService AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService

  14. Resources • Repos used in today’s preso: ◦ github.com/jwtk/jjwt ◦

    github.com/stormpath/roadstorm-jwt-csrf-tutorial ◦ github.com/stormpath/roadstorm-jwt-microservices-tutorial • JJWT Guest Post on Baeldung - bit.ly/29ZPZAd • Stormpath Microservices Screencast - bit.ly/29Wi6iw • JWT Inspector - jwtinspector.io • HTTPie - github.com/jkbrzt/httpie • What are Microservices? ◦ martinfowler.com/articles/microservices.html • @afitnerd @goStormpath [email protected]