All Things Open, profile picture
Uploaded byAll Things Open
PDF, PPTX292 views

An Introduction to PASETO Tokens

Randall Degges introduces PASETO (Platform-Agnostic Security Tokens) as an alternative to JWTs. PASETOs address issues with JWT cryptography and misuse by using stronger algorithms and enforcing strict validation. PASETOs can be local and encrypted with a shared key, or public and signed with asymmetric keys. They provide tamper-proof payloads and different types for various use cases. Developers are encouraged to try PASETOs as a more secure token standard.

Technology
Related topics:
All Things Open

Embed presentation

Download as PDF, PPTX
@rdegges @oktadev PASETO Tokens An Introduction to platform agnostic security tokens
@rdegges @oktadev Chief Hacker @okta python/js/go hacker builder open source author Hi, I'm Randall.
@rdegges @oktadev What's PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } Randall Degges PASETOs are always authenticated.
@rdegges @oktadev What are cryptographic signatures? Greetings, I am writing to inform you that you are the great grandson of a very wealthy king. I've been attempting to contact you to transfer your inheritance. Please send me your bank account details so I can initiate the transfer ASAP. Sincerely yours, Randall Degges I know who Randall is. I know what his signature looks like. I trust him. Therefore, I trust this information.
@rdegges @oktadev What are PASETOs for? Proving that JSON data can be trusted. { "name": "Randall Degges", "height": "6'0", "eyeColor": "brown" } single-use only short duration P
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQbase64-encoded URL safe!
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload footer
@rdegges @oktadev What's inside a PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } claims
@rdegges @oktadev key name type example iss Issuer string {"iss": "okta.com"} sub Subject string {"sub": "test"} aud Audience string {"aud": "okta.com"} exp Expiration DateTime {"exp": "2019-10-31T00:00:00+00:00"} nbf Not Before DateTime {"nbf": "2019-10-31T00:00:00+00:00"} iat Issued At DateTime {"iat": "2019-10-31T00:00:00+00:00"} jti Token ID string {"jti": "ac478bc0-c73a-4a2c-8f00-186456cf8d88") kid Key-ID string {"kid": "stored in footer"} Who created the token? When does the token expire? When was the token created?
@rdegges @oktadev What are the different types of PASETOs? P P local public symmetric shared key simple asymmetricpublic key complicated encrypted not encrypted
@rdegges @oktadev How do local PASETOs work? v2.local.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQH MMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEyR P9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlliT rR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYAj QApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5M 4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ secret_key { json } fuck The secret_key is needed to both encrypt and decrypt the PASETO.
@rdegges @oktadev How do I use local PASETOs? www. P secret_key dl. { "purchaseID": "1234567", "permissions": [ "download:video1.mp4", "download:video2.mp4", "download:video3.mp4" ] } ?token=v2.local.xxx& file=video1.mp4 - Parse URL params - Decrypt token - Verify purchaseID - Verify permissions - Stream file to user video1.mp4 I want to download video1.mp4. secret_key - Validate request - Generate PASETO - Redirect
@rdegges @oktadev How do public PASETOs work? v2.public.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQ HMMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEy RP9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlli TrR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYA jQApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5 M4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ private key { json } I can see the data. The private key is needed to create the PASETO. The public key is need to validate the PASETO. public key
@rdegges @oktadev How do I use public PASETOs? website P public_key authorization server private_key public_key { "userID": "1234567" } I'd like to log in. - Authenticate the user - Generate a PASETO - Redirect the user back to the website ?token=v2.public.xxx - Parse the token out of the URL - Validate the token - Create a secure session using server-side session management
@rdegges @oktadev Why are PASETOs better than JWTs?
@rdegges @oktadev What's wrong with JWTs? Allows poor cryptography choices - RSA w/ PKCS #1v1.5 padding - RSA w/ OAEP Padding - Elliptic Curve Diffie-Hellman (ECDH) using Weierstrass curves - AES-GCM They're widely misused. Force implementations to strictly process the alg header. This causes forgery issues. Vulnerable to a padding oracle attack. Cryptographers recommend migrating away from RSA. Introduces risk of invalid-curve attacks that allow attackers to steal your secret keys. This is the wrong type of cryptography entirely. Using symmetric encryption when asymetric is needed.
@rdegges @oktadev Try PASETO! P paseto.io read the RFC find developer libraries discover articles
@rdegges @oktadev Thank You rdegges.com developer.okta.com

More Related Content

DOC
11th rep of ese.cmdy .banu
byahsanrabbani
 
PDF
Spring Roo 2.0 Preview at Spring I/O 2016
byDISID
 
PDF
GraphQL, l'avenir du REST ?
byFrancois Zaninotto
 
PDF
We-built-a-honeypot-and-p4wned-ransomware-developers-too
byChristiaan Beek
 
PDF
Securing the Web without site-specific passwords
byFrancois Marier
 
PDF
Proteus 8051lcd
bymohsen_seif
 
PDF
Demystifying REST - SFRails meetup
byKirsten Hunter
 
PDF
DNS May Be Hazardous to Your Health
byRobert Stucke
 
11th rep of ese.cmdy .banu
byahsanrabbani
 
Spring Roo 2.0 Preview at Spring I/O 2016
byDISID
 
GraphQL, l'avenir du REST ?
byFrancois Zaninotto
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
byChristiaan Beek
 
Securing the Web without site-specific passwords
byFrancois Marier
 
Proteus 8051lcd
bymohsen_seif
 
Demystifying REST - SFRails meetup
byKirsten Hunter
 
DNS May Be Hazardous to Your Health
byRobert Stucke
 

Similar to An Introduction to PASETO Tokens

PDF
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
byapidays
 
PDF
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
PDF
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
OAuth and why you should use it
bySergey Podgornyy
 
PDF
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
PDF
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
byapidays
 
PDF
Keeping Pace with OAuth’s Evolving Security Practices.pdf
bySirris
 
PPTX
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
byMaarten Balliauw
 
PPTX
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
PDF
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
PDF
A-Passwordless-Future--WebAuthn-for-Java-Developers.pdf
byMohankumarRamachandr1
 
PDF
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
PDF
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
PDF
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
PPTX
An introduction to OAuth 2
bySanjoy Kumar Roy
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
byapidays
 
Stateless authentication for microservices - Greach 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - Spring I/O 2015
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices
byAlvaro Sanchez-Mariscal
 
Stateless authentication for microservices - GR8Conf 2015
byAlvaro Sanchez-Mariscal
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
OAuth and why you should use it
bySergey Podgornyy
 
What the Heck is OAuth and OpenID Connect? Connect.Tech 2017
byMatt Raible
 
INTERFACE, by apidays - The State of OAuth by Aaron Parecki, Okta
byapidays
 
Keeping Pace with OAuth’s Evolving Security Practices.pdf
bySirris
 
OAuth-as-a-service - using ASP.NET Web API and Windows Azure Access Control -...
byMaarten Balliauw
 
OAuth-as-a-service using ASP.NET Web API and Windows Azure Access Control
byMicrosoft Developer Network (MSDN) - Belgium and Luxembourg
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
byMatt Raible
 
A-Passwordless-Future--WebAuthn-for-Java-Developers.pdf
byMohankumarRamachandr1
 
oauth-for-credentials-security-in-rest-api-access
byidsecconf
 
Stateless authentication for microservices applications - JavaLand 2015
byAlvaro Sanchez-Mariscal
 
Stateless token-based authentication for pure front-end applications
byAlvaro Sanchez-Mariscal
 
An introduction to OAuth 2
bySanjoy Kumar Roy
 

More from All Things Open

PPTX
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
PDF
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
PDF
Rolling out Enterprise AI: Tools, Insights, and Team Empowerment
byAll Things Open
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
PDF
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
PDF
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
PDF
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
PDF
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
PDF
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
PDF
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
PPTX
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
PDF
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
PDF
The Missing Link to Inclusion and Performance
byAll Things Open
 
PDF
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
PDF
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
PDF
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
PDF
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
PDF
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
PDF
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
Spacewalk 2026 - Presented at the IMAX in Raleigh, NC
byAll Things Open
 
Open Source Post-Quantum Cryptography - Matt Caswell
byAll Things Open
 
Rolling out Enterprise AI: Tools, Insights, and Team Empowerment
byAll Things Open
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
The Missing Link to Inclusion and Performance
byAll Things Open
 
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 

Recently uploaded

PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PPTX
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PDF
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
PDF
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
PDF
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
PDF
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
PDF
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PPTX
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
PDF
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
PPTX
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
PDF
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
PDF
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Introduction to Industrial-Arts Grade 8 ppt Lesson 1
byFSBTLEDNathanVince
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
ICT500 - CRITICAL AND CREATIVE THINKING FOR INFORMATION TECHNOLOGY SOLUTIONS:...
by2024432452
 
EU regulations for the North American book supply chain - Tech Forum 2026
byBookNet Canada
 
Adapt.com Seed Fundraising Deck | The AI Computer for Business
byashley459565
 
Agentic-Document-Extraction-2026-Presentation.pdf
byTamanna
 
React Mastery: Visual Mental Models to Understand React Deeply
byThomas Gaye
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
TechSprint (SJBIT) 2025-26 Hackathon Winners & Awards Ceremony
bysuhasspgdg
 
"Painless Major Upgrade: A Strategy for Updating Large Codebases", Andrii Yat...
byFwdays
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
When Drones Decide for Themselves_ Inside the Rise of Machine-Led Flight.pdf
byLyra Anderson
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
Cyber security chapter 1 for learning and educating to the students who want ...
byGulMohammadi
 
Build Next-Gen Spatial & Sensor Workflows: Secure, Scalable Processing in Sno...
bySafe Software
 
Chapter 4 Network Security in computer security
byGetnet Tigabie Askale -(GM)
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 

An Introduction to PASETO Tokens

  • 1.
    @rdegges @oktadev PASETO Tokens AnIntroduction to platform agnostic security tokens
  • 2.
    @rdegges @oktadev Chief Hacker@okta python/js/go hacker builder open source author Hi, I'm Randall.
  • 3.
    @rdegges @oktadev What's PASETO? P { "id":"a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } Randall Degges PASETOs are always authenticated.
  • 4.
    @rdegges @oktadev What arecryptographic signatures? Greetings, I am writing to inform you that you are the great grandson of a very wealthy king. I've been attempting to contact you to transfer your inheritance. Please send me your bank account details so I can initiate the transfer ASAP. Sincerely yours, Randall Degges I know who Randall is. I know what his signature looks like. I trust him. Therefore, I trust this information.
  • 5.
    @rdegges @oktadev What arePASETOs for? Proving that JSON data can be trusted. { "name": "Randall Degges", "height": "6'0", "eyeColor": "brown" } single-use only short duration P
  • 6.
    @rdegges @oktadev What doesa PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQbase64-encoded URL safe!
  • 7.
    @rdegges @oktadev What doesa PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version
  • 8.
    @rdegges @oktadev What doesa PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose
  • 9.
    @rdegges @oktadev What doesa PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload
  • 10.
    @rdegges @oktadev What doesa PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload footer
  • 11.
    @rdegges @oktadev What's insidea PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } claims
  • 12.
    @rdegges @oktadev key nametype example iss Issuer string {"iss": "okta.com"} sub Subject string {"sub": "test"} aud Audience string {"aud": "okta.com"} exp Expiration DateTime {"exp": "2019-10-31T00:00:00+00:00"} nbf Not Before DateTime {"nbf": "2019-10-31T00:00:00+00:00"} iat Issued At DateTime {"iat": "2019-10-31T00:00:00+00:00"} jti Token ID string {"jti": "ac478bc0-c73a-4a2c-8f00-186456cf8d88") kid Key-ID string {"kid": "stored in footer"} Who created the token? When does the token expire? When was the token created?
  • 13.
    @rdegges @oktadev What arethe different types of PASETOs? P P local public symmetric shared key simple asymmetricpublic key complicated encrypted not encrypted
  • 14.
    @rdegges @oktadev How dolocal PASETOs work? v2.local.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQH MMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEyR P9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlliT rR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYAj QApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5M 4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ secret_key { json } fuck The secret_key is needed to both encrypt and decrypt the PASETO.
  • 15.
    @rdegges @oktadev How doI use local PASETOs? www. P secret_key dl. { "purchaseID": "1234567", "permissions": [ "download:video1.mp4", "download:video2.mp4", "download:video3.mp4" ] } ?token=v2.local.xxx& file=video1.mp4 - Parse URL params - Decrypt token - Verify purchaseID - Verify permissions - Stream file to user video1.mp4 I want to download video1.mp4. secret_key - Validate request - Generate PASETO - Redirect
  • 16.
    @rdegges @oktadev How dopublic PASETOs work? v2.public.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQ HMMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEy RP9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlli TrR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYA jQApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5 M4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ private key { json } I can see the data. The private key is needed to create the PASETO. The public key is need to validate the PASETO. public key
  • 17.
    @rdegges @oktadev How doI use public PASETOs? website P public_key authorization server private_key public_key { "userID": "1234567" } I'd like to log in. - Authenticate the user - Generate a PASETO - Redirect the user back to the website ?token=v2.public.xxx - Parse the token out of the URL - Validate the token - Create a secure session using server-side session management
  • 18.
    @rdegges @oktadev Why arePASETOs better than JWTs?
  • 19.
    @rdegges @oktadev What's wrongwith JWTs? Allows poor cryptography choices - RSA w/ PKCS #1v1.5 padding - RSA w/ OAEP Padding - Elliptic Curve Diffie-Hellman (ECDH) using Weierstrass curves - AES-GCM They're widely misused. Force implementations to strictly process the alg header. This causes forgery issues. Vulnerable to a padding oracle attack. Cryptographers recommend migrating away from RSA. Introduces risk of invalid-curve attacks that allow attackers to steal your secret keys. This is the wrong type of cryptography entirely. Using symmetric encryption when asymetric is needed.
  • 20.
    @rdegges @oktadev Try PASETO! Ppaseto.io read the RFC find developer libraries discover articles
  • 21.