SlideShare a Scribd company logo

Token vs Cookies (DevoxxMA 2015)

M
Markus Schlichting

Slides from the talk Token vs Cookies at Devoxx Morocco 2015. Introduction of Json Web Token JWT and comparison with (classic) Cookie handling. Find the demo project used during of this talk on github: https://github.com/madmas/TokenVsCookies

Technology
1 of 13
Download to read offline
#DevoxxMA  #JWT   @madmas   Token  vs.  Cookies   JWT  –  the  silver  bullet  for  authen4ca4on     in  modern  applica4on  stacks?     Markus  Schlich4ng  
#DevoxxMA  #JWT   @madmas   About   Markus Schlichting   Senior  So>ware  Engineer         Basel,  Switzerland       Hackergarten  Basel       markus.schlich4ng@canoo.com                      @madmas  
Creden4als   #DevoxxMA  #JWT   @madmas   Cookies  &  Sessions Valida4on,   Create  Session   Store  in   Session   Cookie     Session  informa4on     Check   session,   grant  access   Send  session  inf.     with  every  request   Session   Store   hKps://app.yoursite.ma   hKps://app.yoursite.ma  
#DevoxxMA  #JWT   @madmas   Cookies  &  Sessions • load  balancing  requires  shared  session  pool   • separate  services  need  to  sync  via  session  pool   • cross  origin  resource  sharing  (CORS  )   • CSRF  vulnerabili4es   • other  clients  than  browsers?  
#DevoxxMA  #JWT   @madmas   JSON  Web  Token JSON  Web  Tokens  are  an  open,  industry  standard  (RFC   7519)  method  for  represenCng  claims  securely  between   two  parCes.   • relies  on  other  JSON-­‐based  standards:   • JWS  (JSON  Web  Signature)   • JWE  (JSON  Web  Encryp4on)   • Libraries  widely  available     ŸŸŸ  
Creden4als   #DevoxxMA  #JWT   @madmas   JWT  –  How? Valida4on,   Create  Token   Store   Token       Token     Validate   token,  grant   access   Send  token     with  every  request   hKps://www.yoursite.ma   hKps://api.yoursite.ma  
#DevoxxMA  #JWT   @madmas   JWT  –  What’s  inside? jwt.io  
#DevoxxMA  #JWT   @madmas   JWT  in  ac@on   Demo  4me!  
#DevoxxMA  #JWT   @madmas   JWT  security  aspects •  use  on  encrypted  connec4on  only  (HTTPS!)   •  avoid  URL  tokens        hKps://yoursite.ma/service/ac4on?token=jwt.goes.here     •  in  securing  Session  Cookies  a  lot  of  effort  has  been  made   •  HKpOnly,  etc   •  be  aware  of  the  implica4ons  coming  with  tokens  
#DevoxxMA  #JWT   @madmas   JWT  summary • embraces  JSON,  heavily  adopted  across  many  stacks   • simple  to  use,  simple  to  implement   •  more  libs,  fewer  interoperability  issues   • supports  both  symmetric  and  asymmetric  crypto   •  majority  of  use  cases  solved   • reduce  the  dependency  between  services  to  a  minimum   •  shared  secret,  public/private  keys   • help  to  achieve  one  basic  principle  in  REST  based  architecture:    State  transfer  
#DevoxxMA  #JWT   @madmas   Conclusion • Cookies  are  not  completely  overdue,    but  JWT  provide  a  lot  of  benefits!     • JWT  for  scalability  and  flexibility   • Very  useful  to  provide  a  cross  plaDorm  API   • ServiceWorkers  to  ease  up  handling  within  the  browser  
#DevoxxMA  #JWT   @madmas   Thank  you!   Markus Schlichting   Senior  So>ware  Engineer         Basel,  Switzerland       Hackergarten  Basel       markus.schlich4ng@canoo.com                      @madmas  
#DevoxxMA  #JWT   @madmas   Resources •  RFC  7519  -­‐  JSON  Web  Token  (JWT)   •  Dwyl/learn-­‐json-­‐web-­‐tokens   •  Auth0:  10  Things  You  Should  Know  about  Tokens   •  Does  JWT  put  you  webapp  at  risk?   •  Make  your  REST  services  aKack  proof  –  Alex  Soto  Bueno  

Recommended

MQ Messaging
MQ MessagingMQ Messaging
MQ MessagingCarolyn Crowe
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 

Recommended

MQ Messaging
MQ MessagingMQ Messaging
MQ MessagingCarolyn Crowe
 
APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best PracticeShiu-Fun Poon
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC securityShiu-Fun Poon
 
How to integration DataPower with Zos
How to integration DataPower with ZosHow to integration DataPower with Zos
How to integration DataPower with ZosShiu-Fun Poon
 
How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)How to create a User Defined Policy with IBM APIc (v10)
How to create a User Defined Policy with IBM APIc (v10)Shiu-Fun Poon
 
APIC/DataPower security
APIC/DataPower securityAPIC/DataPower security
APIC/DataPower securityShiu-Fun Poon
 
How to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialHow to migrate an application in IBM APIc, and preserve its client credential
How to migrate an application in IBM APIc, and preserve its client credentialShiu-Fun Poon
 
DataPower Security Hardening
DataPower Security HardeningDataPower Security Hardening
DataPower Security HardeningShiu-Fun Poon
 
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns WSO2
 
CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101CloudIDSummit
 
CIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDKCIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDKCloudIDSummit
 
Hybrid integration platform reference architecture
Hybrid integration platform reference architectureHybrid integration platform reference architecture
Hybrid integration platform reference architectureChanaka Fernando
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSOWSO2
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerWSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivitysatyasekhar123
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
WSO2 API microgateway introduction
WSO2 API microgateway introductionWSO2 API microgateway introduction
WSO2 API microgateway introductionChanaka Fernando
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPrabath Siriwardena
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...WSO2
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers Ivo Andreev
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 
Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14iCumulus
 
Diseño curricular basado en competencias
Diseño curricular basado en competenciasDiseño curricular basado en competencias
Diseño curricular basado en competenciasNaum Mendez
 

More Related Content

What's hot

apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLpqrs1234
 
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns WSO2
 
CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101CloudIDSummit
 
CIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDKCIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDKCloudIDSummit
 
Hybrid integration platform reference architecture
Hybrid integration platform reference architectureHybrid integration platform reference architecture
Hybrid integration platform reference architectureChanaka Fernando
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSOWSO2
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAkana
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerWSO2
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivitysatyasekhar123
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
WSO2 API microgateway introduction
WSO2 API microgateway introductionWSO2 API microgateway introduction
WSO2 API microgateway introductionChanaka Fernando
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentForgeRock
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...WSO2
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers Ivo Andreev
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone
 

What's hot (20)

apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
apidays LIVE Paris - Creating a scalable ecosystem of Microservices by Archan...
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Integration Solution Patterns
Integration Solution Patterns Integration Solution Patterns
Integration Solution Patterns
 
CIS14: PingAccess 101
CIS14: PingAccess 101CIS14: PingAccess 101
CIS14: PingAccess 101
 
CIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDKCIS14: Building a Plug-in with the PingAccess SDK
CIS14: Building a Plug-in with the PingAccess SDK
 
Hybrid integration platform reference architecture
Hybrid integration platform reference architectureHybrid integration platform reference architecture
Hybrid integration platform reference architecture
 
A Walk through SSO
A Walk through SSOA Walk through SSO
A Walk through SSO
 
API Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against HacksAPI Security: Securing Digital Channels and Mobile Apps Against Hacks
API Security: Securing Digital Channels and Mobile Apps Against Hacks
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
 
SSO with the WSO2 Identity Server
SSO with the WSO2 Identity ServerSSO with the WSO2 Identity Server
SSO with the WSO2 Identity Server
 
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
apidays LIVE New York 2021 - Top 10 API security threats every API team shoul...
 
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led ConnectivityMuleSoft Meetup Dubai Anypoint security with api-led Connectivity
MuleSoft Meetup Dubai Anypoint security with api-led Connectivity
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
WSO2 API microgateway introduction
WSO2 API microgateway introductionWSO2 API microgateway introduction
WSO2 API microgateway introduction
 
OpenAM as Flexible Integration Component
OpenAM as Flexible Integration ComponentOpenAM as Flexible Integration Component
OpenAM as Flexible Integration Component
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
[WSO2Con EU 2017] How API Management at Suva is Helping in Reducing Costs to ...
 
Azure security guidelines for developers
Azure security guidelines for developers Azure security guidelines for developers
Azure security guidelines for developers
 
Cryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined PerimeterCryptzone: The Software-Defined Perimeter
Cryptzone: The Software-Defined Perimeter
 

Viewers also liked

Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14iCumulus
 
Diseño curricular basado en competencias
Diseño curricular basado en competenciasDiseño curricular basado en competencias
Diseño curricular basado en competenciasNaum Mendez
 
Noticia Cnsf Cartagena 2008
Noticia Cnsf Cartagena 2008Noticia Cnsf Cartagena 2008
Noticia Cnsf Cartagena 2008jesusespinoza
 
Content and strategy- Information Energy
Content and strategy- Information EnergyContent and strategy- Information Energy
Content and strategy- Information EnergyKate Thomas
 
Staying Fit During Your 8-Hour Work Week
Staying Fit During Your 8-Hour Work WeekStaying Fit During Your 8-Hour Work Week
Staying Fit During Your 8-Hour Work WeekPatrick Moran
 
Enatai Elementary Library- January 2013
Enatai Elementary Library- January 2013Enatai Elementary Library- January 2013
Enatai Elementary Library- January 2013kfigdore
 
School Librarians - Every educators trusty sidekick
School Librarians - Every educators trusty sidekickSchool Librarians - Every educators trusty sidekick
School Librarians - Every educators trusty sidekickDianne McKenzie
 
Sewerage Treatment Plant (stp) 2016
Sewerage Treatment Plant (stp) 2016Sewerage Treatment Plant (stp) 2016
Sewerage Treatment Plant (stp) 2016Shyam Ashtekar
 
Basic Models On Human Resource Development
Basic Models On Human Resource DevelopmentBasic Models On Human Resource Development
Basic Models On Human Resource DevelopmentKrishnan D G
 
Tine Embrechts richt bvba op
Tine Embrechts richt bvba opTine Embrechts richt bvba op
Tine Embrechts richt bvba opThierry Debels
 

Viewers also liked (20)

Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14Real Time DMP - iNimbus - aug 14
Real Time DMP - iNimbus - aug 14
 
Diseño curricular basado en competencias
Diseño curricular basado en competenciasDiseño curricular basado en competencias
Diseño curricular basado en competencias
 
Noticia Cnsf Cartagena 2008
Noticia Cnsf Cartagena 2008Noticia Cnsf Cartagena 2008
Noticia Cnsf Cartagena 2008
 
Camila y laura
Camila y lauraCamila y laura
Camila y laura
 
Standortunabhängiges CRM im FABIS Vertriebssystem
Standortunabhängiges CRM im FABIS VertriebssystemStandortunabhängiges CRM im FABIS Vertriebssystem
Standortunabhängiges CRM im FABIS Vertriebssystem
 
Content and strategy- Information Energy
Content and strategy- Information EnergyContent and strategy- Information Energy
Content and strategy- Information Energy
 
Vom Strukturvertrieb lernen
Vom Strukturvertrieb lernenVom Strukturvertrieb lernen
Vom Strukturvertrieb lernen
 
Staying Fit During Your 8-Hour Work Week
Staying Fit During Your 8-Hour Work WeekStaying Fit During Your 8-Hour Work Week
Staying Fit During Your 8-Hour Work Week
 
Enatai Elementary Library- January 2013
Enatai Elementary Library- January 2013Enatai Elementary Library- January 2013
Enatai Elementary Library- January 2013
 
LA CULTURA JAPONESA
LA CULTURA JAPONESALA CULTURA JAPONESA
LA CULTURA JAPONESA
 
School Librarians - Every educators trusty sidekick
School Librarians - Every educators trusty sidekickSchool Librarians - Every educators trusty sidekick
School Librarians - Every educators trusty sidekick
 
Calendario WREA 2016
Calendario WREA 2016Calendario WREA 2016
Calendario WREA 2016
 
Sewerage Treatment Plant (stp) 2016
Sewerage Treatment Plant (stp) 2016Sewerage Treatment Plant (stp) 2016
Sewerage Treatment Plant (stp) 2016
 
Top10
Top10Top10
Top10
 
Basic Models On Human Resource Development
Basic Models On Human Resource DevelopmentBasic Models On Human Resource Development
Basic Models On Human Resource Development
 
hrd model
hrd modelhrd model
hrd model
 
Tine Embrechts richt bvba op
Tine Embrechts richt bvba opTine Embrechts richt bvba op
Tine Embrechts richt bvba op
 
Simple Chores For Kids
Simple Chores For KidsSimple Chores For Kids
Simple Chores For Kids
 
People design projecct at Aoyama-Gakuin University
People design projecct at Aoyama-Gakuin UniversityPeople design projecct at Aoyama-Gakuin University
People design projecct at Aoyama-Gakuin University
 
Vom Strukturvertrieb lernen
Vom Strukturvertrieb lernenVom Strukturvertrieb lernen
Vom Strukturvertrieb lernen
 

Similar to Token vs Cookies (DevoxxMA 2015)

D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-SignalingOleg Levy
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLZoompf
 
OpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateOpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateAlex Ellis
 
Fuse integration-services
Fuse integration-servicesFuse integration-services
Fuse integration-servicesChristian Posta
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
How to grow your own Microservice?
How to grow your own Microservice?How to grow your own Microservice?
How to grow your own Microservice?Dmitry Buzdin
 
NephOS Product Datasheet
NephOS Product DatasheetNephOS Product Datasheet
NephOS Product DatasheetNephoScale
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summitkimw001
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containersactualtechmedia
 
Cloud Native Camel Riding
Cloud Native Camel RidingCloud Native Camel Riding
Cloud Native Camel RidingChristian Posta
 
Tackling complexity in giant systems: approaches from several cloud providers
Tackling complexity in giant systems: approaches from several cloud providersTackling complexity in giant systems: approaches from several cloud providers
Tackling complexity in giant systems: approaches from several cloud providersPatrick Chanezon
 
Serverless framework on kubernetes
Serverless framework on kubernetesServerless framework on kubernetes
Serverless framework on kubernetesinwin stack
 
Microservices with Spring Cloud
Microservices with Spring CloudMicroservices with Spring Cloud
Microservices with Spring CloudDaniel Eichten
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soanick_garrod
 
Bluemix paas 기반 saas 개발 사례
Bluemix paas 기반 saas 개발 사례Bluemix paas 기반 saas 개발 사례
Bluemix paas 기반 saas 개발 사례uEngine Solutions
 
Microservices - opportunities, dilemmas and problems
Microservices - opportunities, dilemmas and problemsMicroservices - opportunities, dilemmas and problems
Microservices - opportunities, dilemmas and problemsŁukasz Sowa
 
Contract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep DiveContract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep DiveGabriel Michaud
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoGabriella Davis
 
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20....Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...Javier García Magna
 

Similar to Token vs Cookies (DevoxxMA 2015) (20)

D1-3-Signaling
D1-3-SignalingD1-3-Signaling
D1-3-Signaling
 
Maximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSLMaximizing Performance with SPDY and SSL
Maximizing Performance with SPDY and SSL
 
OpenFaaS 2019 Project Update
OpenFaaS 2019 Project UpdateOpenFaaS 2019 Project Update
OpenFaaS 2019 Project Update
 
Fuse integration-services
Fuse integration-servicesFuse integration-services
Fuse integration-services
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
How to grow your own Microservice?
How to grow your own Microservice?How to grow your own Microservice?
How to grow your own Microservice?
 
NephOS Product Datasheet
NephOS Product DatasheetNephOS Product Datasheet
NephOS Product Datasheet
 
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini SummitF5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
F5 Networks - - OpenStack Summit 2016/Red Hat NFV Mini Summit
 
Virtualization Vs. Containers
Virtualization Vs. ContainersVirtualization Vs. Containers
Virtualization Vs. Containers
 
Cloud Native Camel Riding
Cloud Native Camel RidingCloud Native Camel Riding
Cloud Native Camel Riding
 
Tackling complexity in giant systems: approaches from several cloud providers
Tackling complexity in giant systems: approaches from several cloud providersTackling complexity in giant systems: approaches from several cloud providers
Tackling complexity in giant systems: approaches from several cloud providers
 
Stackato v2
Stackato v2Stackato v2
Stackato v2
 
Serverless framework on kubernetes
Serverless framework on kubernetesServerless framework on kubernetes
Serverless framework on kubernetes
 
Microservices with Spring Cloud
Microservices with Spring CloudMicroservices with Spring Cloud
Microservices with Spring Cloud
 
InterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soaInterConnect 2015 session 2825 cics_and_the_new soa
InterConnect 2015 session 2825 cics_and_the_new soa
 
Bluemix paas 기반 saas 개발 사례
Bluemix paas 기반 saas 개발 사례Bluemix paas 기반 saas 개발 사례
Bluemix paas 기반 saas 개발 사례
 
Microservices - opportunities, dilemmas and problems
Microservices - opportunities, dilemmas and problemsMicroservices - opportunities, dilemmas and problems
Microservices - opportunities, dilemmas and problems
 
Contract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep DiveContract-Based Web Services API Deep Dive
Contract-Based Web Services API Deep Dive
 
HTTP - The Other Face Of Domino
HTTP - The Other Face Of DominoHTTP - The Other Face Of Domino
HTTP - The Other Face Of Domino
 
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20....Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...
.Net Microservices with Event Sourcing, CQRS, Docker and... Windows Server 20...
 

Recently uploaded

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Token vs Cookies (DevoxxMA 2015)

  • 1. #DevoxxMA  #JWT   @madmas   Token  vs.  Cookies   JWT  –  the  silver  bullet  for  authen4ca4on     in  modern  applica4on  stacks?     Markus  Schlich4ng  
  • 2. #DevoxxMA  #JWT   @madmas   About   Markus Schlichting   Senior  So>ware  Engineer         Basel,  Switzerland       Hackergarten  Basel       markus.schlich4ng@canoo.com                      @madmas  
  • 3. Creden4als   #DevoxxMA  #JWT   @madmas   Cookies  &  Sessions Valida4on,   Create  Session   Store  in   Session   Cookie     Session  informa4on     Check   session,   grant  access   Send  session  inf.     with  every  request   Session   Store   hKps://app.yoursite.ma   hKps://app.yoursite.ma  
  • 4. #DevoxxMA  #JWT   @madmas   Cookies  &  Sessions • load  balancing  requires  shared  session  pool   • separate  services  need  to  sync  via  session  pool   • cross  origin  resource  sharing  (CORS  )   • CSRF  vulnerabili4es   • other  clients  than  browsers?  
  • 5. #DevoxxMA  #JWT   @madmas   JSON  Web  Token JSON  Web  Tokens  are  an  open,  industry  standard  (RFC   7519)  method  for  represenCng  claims  securely  between   two  parCes.   • relies  on  other  JSON-­‐based  standards:   • JWS  (JSON  Web  Signature)   • JWE  (JSON  Web  Encryp4on)   • Libraries  widely  available     ŸŸŸ  
  • 6. Creden4als   #DevoxxMA  #JWT   @madmas   JWT  –  How? Valida4on,   Create  Token   Store   Token       Token     Validate   token,  grant   access   Send  token     with  every  request   hKps://www.yoursite.ma   hKps://api.yoursite.ma  
  • 7. #DevoxxMA  #JWT   @madmas   JWT  –  What’s  inside? jwt.io  
  • 8. #DevoxxMA  #JWT   @madmas   JWT  in  ac@on   Demo  4me!  
  • 9. #DevoxxMA  #JWT   @madmas   JWT  security  aspects •  use  on  encrypted  connec4on  only  (HTTPS!)   •  avoid  URL  tokens        hKps://yoursite.ma/service/ac4on?token=jwt.goes.here     •  in  securing  Session  Cookies  a  lot  of  effort  has  been  made   •  HKpOnly,  etc   •  be  aware  of  the  implica4ons  coming  with  tokens  
  • 10. #DevoxxMA  #JWT   @madmas   JWT  summary • embraces  JSON,  heavily  adopted  across  many  stacks   • simple  to  use,  simple  to  implement   •  more  libs,  fewer  interoperability  issues   • supports  both  symmetric  and  asymmetric  crypto   •  majority  of  use  cases  solved   • reduce  the  dependency  between  services  to  a  minimum   •  shared  secret,  public/private  keys   • help  to  achieve  one  basic  principle  in  REST  based  architecture:    State  transfer  
  • 11. #DevoxxMA  #JWT   @madmas   Conclusion • Cookies  are  not  completely  overdue,    but  JWT  provide  a  lot  of  benefits!     • JWT  for  scalability  and  flexibility   • Very  useful  to  provide  a  cross  plaDorm  API   • ServiceWorkers  to  ease  up  handling  within  the  browser  
  • 12. #DevoxxMA  #JWT   @madmas   Thank  you!   Markus Schlichting   Senior  So>ware  Engineer         Basel,  Switzerland       Hackergarten  Basel       markus.schlich4ng@canoo.com                      @madmas  
  • 13. #DevoxxMA  #JWT   @madmas   Resources •  RFC  7519  -­‐  JSON  Web  Token  (JWT)   •  Dwyl/learn-­‐json-­‐web-­‐tokens   •  Auth0:  10  Things  You  Should  Know  about  Tokens   •  Does  JWT  put  you  webapp  at  risk?   •  Make  your  REST  services  aKack  proof  –  Alex  Soto  Bueno