Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

JWTs in Java for CSRF and Microservices

513 views

Published on

Slides from Micah Silverman's, Stormpath Developer Evangelist, webinar on using JWTs to protect against CSRF as well as to secure communications between microservices. Micah shows how JWTs can be used to secure web applications built with Java and protect from 'unsafe' clients.

Published in: Technology
  • Be the first to comment

JWTs in Java for CSRF and Microservices

  1. 1. • • • • •
  2. 2. • • • •
  3. 3. User Data User Workflows Google ID Your Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML
  4. 4. encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "." + payload, base64DecodeToByteArray(encodedSecret) ) Signature Computation Pseudo-code
  5. 5. .signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") ) Short but not Sweet
  6. 6. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256, b64EncodedSecret.getBytes("UTF-8") ) You’re Doing it Wrong
  7. 7. String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret) ) Supersize that Secret!
  8. 8. AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService AccountService GroupService Database Infrastructure
  9. 9. Database Infrastructure GroupServiceAccountService AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService
  10. 10. ● ○ ○ ● ● ● ● ● ● ○ ●

×