Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

I Don't Care About Security (And Neither Should You)

75 views

Published on

Remember when setting up a login page was easy? It seems like nowadays it can take weeks to start a project--creating a signup form, a login form, a password recovery screen, and all the validation in between. And you haven’t even started on security considerations yet. During this presentation, the attendees will be introduced to OpenID Connect and OAuth. They will also learn how to leverage these technologies to create more secure applications. Most importantly, they will learn how to delegate authorization and authentication so they can focus on their real work and forget about all that security stuff.

Presented at South Florida Code Camp '19

Published in: Internet
  • Be the first to comment

  • Be the first to like this

I Don't Care About Security (And Neither Should You)

  1. 1. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  2. 2. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) ABOUT ME @joel__lord joellord
  3. 3. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  4. 4. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  5. 5. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  6. 6. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  7. 7. INTRODUCING OAUTH!
  8. 8. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  9. 9. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  10. 10. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  11. 11. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  12. 12. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  13. 13. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OAUTH FLOWS
  14. 14. BUT WHY ?
  15. 15. DELEGATION!
  16. 16. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  17. 17. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  18. 18. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page
  19. 19. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database
  20. 20. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database 👍
  21. 21. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TRADITIONAL APPLICATIONS ▸ Browser requests a login page ▸ Server validates on the database ▸ It creates a session and sends back a cookie identifier 👍
  22. 22. "
  23. 23. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application
  24. 24. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled
  25. 25. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API
  26. 26. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) WHAT’S WRONG WITH TRADITIONAL AUTHENTICATION? ▸ Multiple platforms connecting to your application ▸ Tightly coupled ▸ Sharing credentials to connect to a third party API ▸ Users have a gazillions accounts already, which leads to password reuse and lower conversion rates
  27. 27. OAUTH GRANTS I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  28. 28. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  29. 29. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  30. 30. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  31. 31. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  32. 32. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE 👍
  33. 33. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  34. 34. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  35. 35. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  36. 36. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  37. 37. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  38. 38. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE ⛔
  39. 39. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  40. 40. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) AUTHORIZATION CODE
  41. 41. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  42. 42. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  43. 43. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  44. 44. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  45. 45. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  46. 46. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  47. 47. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  48. 48. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT
  49. 49. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) IMPLICIT GRANT 👍
  50. 50. TOKENS 101 I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU)
  51. 51. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Access Tokens ▸ Gives you access to a resource ▸ Controls access to your API ▸ Short Lived ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  52. 52. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  53. 53. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ Refresh Tokens ▸ Enable you to get a new access token ▸ Longed lived ▸ Can be revoked
  54. 54. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ …
  55. 55. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) TOKENS ▸ WS Federated ▸ SAML ▸ Custom stuff ▸ JWT
  56. 56. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  57. 57. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header ▸ Payload ▸ Signature eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  58. 58. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  59. 59. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9
  60. 60. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header atob(‘eyJhbGciOiJIUzI1NiIsI nR5cCI6IkpXVCJ9’);
  61. 61. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Header { "alg": "HS256", "typ": "JWT" }
  62. 62. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJhbGciOiJIUzI1NiIsInR5cC I6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6I kpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBv c3RzOnJlYWQgcG9zdHM6 d3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  63. 63. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload eyJzdWIiOiIxMjM0NTY3OD kwIiwibmFtZSI6IkpvZWwgT G9yZCIsImFkbWluIjp0cnVlL CJzY29wZSI6InBvc3RzOnJl YWQgcG9zdHM6d3JpdGUi fQ
  64. 64. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload atob(‘eyJzdWIiOiIxMjM0NT Y3ODkwIiwibmFtZSI6IkpvZ WwgTG9yZCIsImFkbWluIjp 0cnVlLCJzY29wZSI6InBvc3R zOnJlYWQgcG9zdHM6d3J pdGUifQ’);
  65. 65. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true, "scope": "posts:read posts:write" }
  66. 66. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature XesR- pKdlscHfUwoKvHnACqfpe2 ywJ6t1BJKsq9rEcg
  67. 67. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) ▸ Signature hmacsha256( `${header}.${payload}`, SECRET_KEY );
  68. 68. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) JSON WEB TOKENS (JWTS, NOT JOTS) Image: https://jwt.io
  69. 69. CODE TIME!
  70. 70. Auth Server API var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.json()); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); var express = require('express'); var Webtask = require('webtask-tools'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ]; app.use(bodyParser.urlencoded()); app.get("/login", function(req, res) { var loginForm = "<form method='post'><input type=hidden name=callback value='" + req.query.callback + "'><input type=text name=username /><input type=text name=password /><input type=submit></form>"; res.status(200).send(loginForm); }); app.post("/login", function(req, res) { if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found");
  71. 71. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  72. 72. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  73. 73. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  74. 74. @joel__lord #sflcc Auth Server var express = require('express'); var bodyParser = require('body-parser'); var jwt = require("jsonwebtoken"); var app = express(); // ...
  75. 75. @joel__lord #sflcc Auth Server // Requires ... var users = [ {id: 1, username: "joellord", password: "joellord"}, {id: 2, username: "guest", password: "guest"} ];
  76. 76. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  77. 77. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); });
  78. 78. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  79. 79. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  80. 80. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  81. 81. @joel__lord #sflcc Auth Server app.post("/login", function(req, res) { // POST for login if (!req.body.username || !req.body.password) return res.status(400).send("Need username and password"); var user = users.find(function(u) { return u.username === req.body.username && u.password === req.body.password; }); if (!user) return res.status(401).send("User not found"); var token = jwt.sign({ sub: user.id, scope: "api:read", username: user.username }, "mysupersecret", {expiresIn: "10 minutes"}); res.redirect(req.body.callback + "#access_token=" + token); });
  82. 82. @joel__lord #sflcc Auth Server // Requires ... var users = [...]; app.use(bodyParser.urlencoded()); app.post("/login", function(req, res) { // POST for login }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8080, () => console.log("Auth server running on 8080"));}
  83. 83. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  84. 84. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  85. 85. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  86. 86. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  87. 87. @joel__lord #sflcc API var express = require('express'); var bodyParser = require('body-parser'); var randopeep = require("randopeep"); var expressjwt = require("express-jwt"); var app = express();
  88. 88. @joel__lord #sflcc API // Requires ... var jwtCheck = expressjwt({ secret: "mysupersecret" });
  89. 89. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  90. 90. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  91. 91. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  92. 92. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected res.status(200).send(randopeep.clickbait.headline()); }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected res.status(200).send(randopeep.clickbait.headline("Joel Lord")); }); app.get('*', function (req, res) { res.sendStatus(404); });
  93. 93. @joel__lord #sflcc API // Requires and config ... app.get("/headline", function(req, res) { // Unprotected }); app.get("/protected/headline", jwtCheck, function(req, res) { // Protected }); app.get('*', function (req, res) { res.sendStatus(404); }); app.listen(8888, () => console.log("API listening on 8888"));
  94. 94. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  95. 95. DELEGATION!
  96. 96. INTRODUCING OPEN ID CONNECT!
  97. 97. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Built on top of OAuth 2.0 ▸ OpenID Connect is to OpenId what JavaScript is to Java ▸ Provides Identity Tokens in JWT format ▸ Uses a /userinfo endpoint to provide this info
  98. 98. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT ▸ Uses the “scope” to fetch info ▸ openid ▸ Profile ▸ email ▸ address ▸ phone
  99. 99. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT scope=openid%20profile
  100. 100. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  101. 101. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT 👍
  102. 102. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  103. 103. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  104. 104. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  105. 105. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT /userinfo
  106. 106. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT
  107. 107. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) OPEN ID CONNECT Image: https://openidconnect.net
  108. 108. I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) DEAR DEMO GODS, PLEASE LET THIS WORK ▸ https://github.com/joellord/ secure-spa-auth0
  109. 109. DELEGATION!
  110. 110. @joel__lord #sflcc I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) RESOURCES ▸ General JWT resource ▸ https://jwt.io/ ▸ Learn how OIDC works ▸ https://openidconnect.net/ ▸ Code samples ▸ http://bit.ly/idontcareaboutsecurity
  111. 111. @joel__lord joellord I DON’T CARE ABOUT SECURITY (AND NEITHER SHOULD YOU) South Florida Code Camp March 2nd, 2019 THANK YOU !
  112. 112. TEXT
  113. 113. TEXT

×