token vs cookies (devoxxma 2015)
TRANSCRIPT
![Page 1: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/1.jpg)
#DevoxxMA #JWT @madmas
Token vs. Cookies JWT – the silver bullet for authen4ca4on
in modern applica4on stacks?
Markus Schlich4ng
![Page 2: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/2.jpg)
#DevoxxMA #JWT @madmas
About
Markus Schlichting Senior So>ware Engineer Basel, Switzerland Hackergarten Basel
@madmas
![Page 3: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/3.jpg)
Creden4als
#DevoxxMA #JWT @madmas
Cookies & Sessions
Valida4on, Create Session
Store in Session Cookie
Session informa4on
Check session, grant access
Send session inf. with every request
Session Store
hKps://app.yoursite.ma hKps://app.yoursite.ma
![Page 4: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/4.jpg)
#DevoxxMA #JWT @madmas
Cookies & Sessions
• load balancing requires shared session pool
• separate services need to sync via session pool
• cross origin resource sharing (CORS )
• CSRF vulnerabili4es
• other clients than browsers?
![Page 5: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/5.jpg)
#DevoxxMA #JWT @madmas
JSON Web Token
JSON Web Tokens are an open, industry standard (RFC 7519) method for represenCng claims securely between
two parCes. • relies on other JSON-‐based standards: • JWS (JSON Web Signature) • JWE (JSON Web Encryp4on)
• Libraries widely available ���
![Page 6: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/6.jpg)
Creden4als
#DevoxxMA #JWT @madmas
JWT – How?
Valida4on, Create Token
Store Token
Token
Validate token, grant access
Send token with every request
hKps://www.yoursite.ma hKps://api.yoursite.ma
![Page 7: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/7.jpg)
#DevoxxMA #JWT @madmas
JWT – What’s inside?
jwt.io
![Page 8: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/8.jpg)
#DevoxxMA #JWT @madmas
JWT in ac@on
Demo 4me!
![Page 9: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/9.jpg)
#DevoxxMA #JWT @madmas
JWT security aspects
• use on encrypted connec4on only (HTTPS!)
• avoid URL tokens hKps://yoursite.ma/service/ac4on?token=jwt.goes.here
• in securing Session Cookies a lot of effort has been made
• HKpOnly, etc • be aware of the implica4ons coming with tokens
![Page 10: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/10.jpg)
#DevoxxMA #JWT @madmas
JWT summary
• embraces JSON, heavily adopted across many stacks • simple to use, simple to implement • more libs, fewer interoperability issues
• supports both symmetric and asymmetric crypto • majority of use cases solved
• reduce the dependency between services to a minimum • shared secret, public/private keys
• help to achieve one basic principle in REST based architecture: State transfer
![Page 11: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/11.jpg)
#DevoxxMA #JWT @madmas
Conclusion
• Cookies are not completely overdue, but JWT provide a lot of benefits! • JWT for scalability and flexibility
• Very useful to provide a cross plaDorm API
• ServiceWorkers to ease up handling within the browser
![Page 12: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/12.jpg)
#DevoxxMA #JWT @madmas
Thank you!
Markus Schlichting Senior So>ware Engineer Basel, Switzerland Hackergarten Basel
@madmas
![Page 13: Token vs Cookies (DevoxxMA 2015)](https://reader030.vdocuments.site/reader030/viewer/2022020314/587a89cc1a28ab58288b5673/html5/thumbnails/13.jpg)
#DevoxxMA #JWT @madmas
Resources
• RFC 7519 -‐ JSON Web Token (JWT) • Dwyl/learn-‐json-‐web-‐tokens • Auth0: 10 Things You Should Know about Tokens • Does JWT put you webapp at risk? • Make your REST services aKack proof – Alex Soto Bueno