Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Death to Cookies, Long Live JSON Web Tokens

Matias Woloski
March 19, 2015
Technology
2
260

Death to Cookies, Long Live JSON Web Tokens

Matias Woloski

March 19, 2015
Tweet

More Decks by Matias Woloski

See All by Matias Woloski
Death to Cookies Long Live Tokens - Gluecon 2014
woloski
0
160
jsconf.uy - Death to Cookies Long Live Tokens
woloski
0
39
Death to Cookies, Long Live Tokens
woloski
5
670

Other Decks in Technology

See All in Technology
株式会社ログラス − エンジニア向け会社説明資料 / Loglass Comapany Deck for Engineer
loglass2019
3
28k
인디 앱 개발자와 Flutter
tinyjin
0
150
今、始める、第一歩。 / Your first step
yahonda
2
720
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
フルカイテン株式会社 採用資料
fullkaiten
0
40k
SREによる隣接領域への越境とその先の信頼性
shonansurvivors
1
440
メールサーバ管理者のみ知る話
hinono
1
110
福岡新卒エンジニアの会
teba_eleven
1
190
TypeScript、上達の瞬間
sadnessojisan
10
2.1k
Engineering at LY Corporation
lycorp_recruit_jp
0
480
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.1k
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
120

Featured

See All Featured
Designing the Hi-DPI Web
ddemaree
280
34k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Statistics for Hackers
jakevdp
796
220k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Become a Pro
speakerdeck
PRO
25
5k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
The Pragmatic Product Professional
lauravandoore
31
6.3k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
131
33k
How STYLIGHT went responsive
nonsquared
95
5.2k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k

Transcript

  1. Death to Cookies Long Live JSON Web Tokens

  2. @woloski CTO & Founder Auth0

  3. Identity made simple for developers

  4. Authentication for Modern Applications using Tokens

  5. Browser Web Server auth C C Most of the web

  6. Browser Web Server (PHP) Realtime (Node) C M modern apps

  7. Browser Web Server (PHP) Realtime (Node) C M Cookies are

    coupled to the web framework modern apps

  8. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A Phones Tablets A modern apps

  9. Browser Web Server (PHP) Realtime (Node) C M API (Node)

    A APIs don’t use Cookies Phones Tablets A modern apps

  10. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A Phones Tablets A modern apps

  11. Browser Web Server (PHP) Realtime (Node) C M API (Ruby)

    API (Node) A A AWS S3 S Phones Tablets A modern apps

  12. Browser Web Server (Python) Realtime (Node) C M API (Ruby)

    API (Node) A A Cookies don’t “flow” AWS S3 S Phones Tablets A modern apps

  13. A better approach Token-based Authentication JSON Web Tokens https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30

  14. auth0/deathcookies-talk Demo time!

  15. TouchID Ask User to Login with TouchID Is Private Key

    on KeyChain? Generate Key Pair Store Public Key on Server Generate JWT & Sign with Private Key Validate JWT with Public Key on Server Yes No

  16. Browser modern apps Web Server (Python) Realtime (Node) API (Ruby)

    API (Node) AWS S3 Phones Tablets

  17. Thanks! @woloski @auth0 auth0.com/jobs

  18. Appendix

  19. None
  20. None

  21. Token expires, deal with refresh

  22. Confidential info, encrypt it

  23. Social auth

  24. Tokens can get big Don’t over engineer Don’t do fine

    grained permissions Define scopes

  25. How to deal with protected images? https://github.com/hueniverse/hawk#single-uri-authorization Create signed requests

    (single URI authorization)