Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Death to Cookies, Long Live JSON Web Tokens
Search
Matias Woloski
March 19, 2015
Technology
2
270
Death to Cookies, Long Live JSON Web Tokens
Matias Woloski
March 19, 2015
Tweet
Share
More Decks by Matias Woloski
See All by Matias Woloski
Death to Cookies Long Live Tokens - Gluecon 2014
woloski
0
170
jsconf.uy - Death to Cookies Long Live Tokens
woloski
0
41
Death to Cookies, Long Live Tokens
woloski
5
680
Other Decks in Technology
See All in Technology
Amazon Bedrock AgentCore でプロモーション用動画生成エージェントを開発する
nasuvitz
6
370
生成AIによるデータサイエンスの変革
taka_aki
0
3.1k
20250818_KGX・One Hokkaidoコラボイベント
tohgeyukihiro
0
130
OpenAPIから画面生成に挑戦した話
koinunopochi
0
130
ECS モニタリング手法大整理
yendoooo
1
110
信頼できる開発プラットフォームをどう作るか?-Governance as Codeと継続的監視/フィードバックが導くPlatform Engineeringの進め方
yuriemori
1
390
自治体職員がガバクラの AWS 閉域ネットワークを理解するのにやって良かった個人検証環境
takeda_h
2
370
はじめての転職講座/The Guide of First Career Change
kwappa
5
4.5k
プロジェクトマネジメントは不確実性との対話だ
hisashiwatanabe
0
190
2025新卒研修・Webアプリケーションセキュリティ #弁護士ドットコム
bengo4com
3
10k
Infrastructure as Prompt実装記 〜Bedrock AgentCoreで作る自然言語インフラエージェント〜
yusukeshimizu
2
180
Engineering Failure-Resilient Systems
infraplumber0
0
130
Featured
See All Featured
Being A Developer After 40
akosma
90
590k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
GitHub's CSS Performance
jonrohan
1031
460k
Navigating Team Friction
lara
188
15k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
Build your cross-platform service in a week with App Engine
jlugia
231
18k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
234
17k
Why Our Code Smells
bkeepers
PRO
338
57k
Facilitating Awesome Meetings
lara
55
6.5k
Music & Morning Musume
bryan
46
6.7k
Transcript
Death to Cookies Long Live JSON Web Tokens
@woloski CTO & Founder Auth0
Identity made simple for developers
Authentication for Modern Applications using Tokens
Browser Web Server auth C C Most of the web
Browser Web Server (PHP) Realtime (Node) C M modern apps
Browser Web Server (PHP) Realtime (Node) C M Cookies are
coupled to the web framework modern apps
Browser Web Server (PHP) Realtime (Node) C M API (Node)
A Phones Tablets A modern apps
Browser Web Server (PHP) Realtime (Node) C M API (Node)
A APIs don’t use Cookies Phones Tablets A modern apps
Browser Web Server (PHP) Realtime (Node) C M API (Ruby)
API (Node) A A Phones Tablets A modern apps
Browser Web Server (PHP) Realtime (Node) C M API (Ruby)
API (Node) A A AWS S3 S Phones Tablets A modern apps
Browser Web Server (Python) Realtime (Node) C M API (Ruby)
API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps
A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30
auth0/deathcookies-talk Demo time!
TouchID Ask User to Login with TouchID Is Private Key
on KeyChain? Generate Key Pair Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No
Browser modern apps Web Server (Python) Realtime (Node) API (Ruby)
API (Node) AWS S3 Phones Tablets
Thanks! @woloski @auth0 auth0.com/jobs
Appendix
None
None
Token expires, deal with refresh
Confidential info, encrypt it
Social auth
Tokens can get big Don’t over engineer Don’t do fine
grained permissions Define scopes
How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests
(single URI authorization)