JWTs for CSRF and Microservices
-
Upload
stormpath -
Category
Technology
-
view
231 -
download
1
Transcript of JWTs for CSRF and Microservices
JWTsfor
CSRF and Microservices
Welcome! • Agenda
• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)
• Claire HunsakerVP of Marketing
• Micah SilvermanJava Developer Evangelist
Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance
Stormpath User Management
User Data
User Workflows Google ID
Your ApplicationsApplication SDK
Application SDK
Application SDK
ID Integrations
Active Directory
SAML
Let’s talk about CSRF!
encodeSecret =
"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="
computeHMACSHA256(
header + "." + payload,
base64DecodeToByteArray(encodedSecret)
)
Signature Computation Pseudo-code
JWTSecret Anti-Patterns
.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )
Short but not Sweet
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
.signWith(
SignatureAlgorithm.HS256,
b64EncodedSecret.getBytes("UTF-8")
)
You’re Doing it Wrong
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
.signWith(
SignatureAlgorithm.HS512,
TextCodec.BASE64.decode(b64EncodedSecret)
)
Supersize that Secret!
"Microservices are awesome, but they're not free."
- Les Hazlewood, Stormpath CTO
Monolithic SOA
AuthenticationServiceAuthorizationServiceApplicationService
OrganizationServiceDirectoryServiceAccountServiceGroupService
DatabaseInfrastructure
Microservices
DatabaseInfrastructure
GroupServiceAccountService
AuthenticationService AuthorizationService
ApplicationService OrganizationService DirectoryService
Resources• Repos used in today’s preso:
○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-
tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -
bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?
○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath