JWTs for CSRF and Microservices

Post on 13-Jan-2017

232 views 1 download

Preview:

Click to see full reader
Report this document
SHARE

Transcript of JWTs for CSRF and Microservices

JWTsfor

CSRF and Microservices

Welcome! • Agenda

• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)

• Claire HunsakerVP of Marketing

• Micah SilvermanJava Developer Evangelist

Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance

Stormpath User Management

User Data

User Workflows Google ID

Your ApplicationsApplication SDK

Application SDK

Application SDK

ID Integrations

Facebook

Active Directory

SAML

Let’s talk about CSRF!

encodeSecret =

"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="

computeHMACSHA256(

header + "." + payload,

base64DecodeToByteArray(encodedSecret)

)

Signature Computation Pseudo-code

JWTSecret Anti-Patterns

.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

Short but not Sweet

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS256,

b64EncodedSecret.getBytes("UTF-8")

)

You’re Doing it Wrong

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS512,

TextCodec.BASE64.decode(b64EncodedSecret)

)

Supersize that Secret!

"Microservices are awesome, but they're not free."

- Les Hazlewood, Stormpath CTO

Monolithic SOA

AuthenticationServiceAuthorizationServiceApplicationService

OrganizationServiceDirectoryServiceAccountServiceGroupService

DatabaseInfrastructure

Microservices

DatabaseInfrastructure

GroupServiceAccountService

AuthenticationService AuthorizationService

ApplicationService OrganizationService DirectoryService

Resources• Repos used in today’s preso:

○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-

tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -

bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?

○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath

support@stormpath.com

Top related

JWTS-10JF Table Saw Manual
 Documents
Protect you site from CSRF
 Technology
CSRF e OAuth2
 Technology
Neat tricks to bypass CSRF-protection
 Software
IRPJ e CSRF - Retenção
 Documents
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 Software
CSRF Bouncing
 Documents
WEB SECURITY: XSS & CSRF - University Of Maryland · XSS & CSRF CMSC 414 FEB 22 2018. Cross-Site Request Forgery (CSRF) URLs with side-effects
 Documents
Introduction to CSRF Attacks & Defense
 Technology
Inyección, XSS, CSRF en ChelaJS
 Technology
Tamper Data: CSRF examined toolsmith
 Documents
Présentation CSRF (complète avec démo)
 Internet
CSRF Attack
 Technology
JWTs and JOSE in a flash
 Internet
REST Service Authetication with TLS & JWTs
 Software
Web Security: Session management and CSRF
 Documents
The three faces of CSRF - uni-passau.de fileThe three faces of CSRF DeepSec 2007 ... The targets of such requests are not restricted by the SOP ... CSRF (I)
 Documents
NEUROPSYCHOLOGICAL CHANGES FOLLOWING - CSRF
 Documents
Csrf protector
 Software
csrf(Crosss-Site Request Forgeries)
 Documents

Copyright © 2022 FDOCUMENTS