Death to Cookies, Long Live JSON Web Tokens

Transcript

1. Death to Cookies Long Live JSON Web Tokens

2. @woloski CTO & Founder Auth0

3. Identity made simple for developers

4. Authentication for Modern Applications using Tokens

5. Browser Web Server auth C C Most of the web

6. Browser Web Server (PHP) Realtime (Node) C M modern apps

7. Browser Web Server (PHP) Realtime (Node) C M Cookies are

   coupled to the web framework modern apps

8. Browser Web Server (PHP) Realtime (Node) C M API (Node)

   A Phones Tablets A modern apps

9. Browser Web Server (PHP) Realtime (Node) C M API (Node)

   A APIs don’t use Cookies Phones Tablets A modern apps

10. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A Phones Tablets A modern apps

11. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A AWS S3 S Phones Tablets A modern apps

12. Browser Web Server (Python) Realtime (Node) C M API (Ruby)

    API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps

13. A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30

14. auth0/deathcookies-talk Demo time!

15. TouchID Ask User to Login with TouchID Is Private Key

    on KeyChain? Generate Key Pair Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No

16. Browser modern apps Web Server (Python) Realtime (Node) API (Ruby)

    API (Node) AWS S3 Phones Tablets

17. Thanks! @woloski @auth0 auth0.com/jobs

18. Appendix

19. None
20. None

21. Token expires, deal with refresh

22. Confidential info, encrypt it

23. Social auth

24. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

25. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)