JWTs for CSRF and Microservices
-
Upload
stormpath -
Category
Technology
-
view
232 -
download
1
Transcript of JWTs for CSRF and Microservices
![Page 1: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/1.jpg)
JWTsfor
CSRF and Microservices
![Page 2: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/2.jpg)
Welcome! • Agenda
• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)
• Claire HunsakerVP of Marketing
• Micah SilvermanJava Developer Evangelist
![Page 3: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/3.jpg)
Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance
![Page 4: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/4.jpg)
Stormpath User Management
User Data
User Workflows Google ID
Your ApplicationsApplication SDK
Application SDK
Application SDK
ID Integrations
Active Directory
SAML
![Page 5: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/5.jpg)
Let’s talk about CSRF!
![Page 6: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/6.jpg)
encodeSecret =
"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="
computeHMACSHA256(
header + "." + payload,
base64DecodeToByteArray(encodedSecret)
)
Signature Computation Pseudo-code
![Page 7: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/7.jpg)
JWTSecret Anti-Patterns
![Page 8: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/8.jpg)
.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )
Short but not Sweet
![Page 9: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/9.jpg)
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
.signWith(
SignatureAlgorithm.HS256,
b64EncodedSecret.getBytes("UTF-8")
)
You’re Doing it Wrong
![Page 10: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/10.jpg)
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";
.signWith(
SignatureAlgorithm.HS512,
TextCodec.BASE64.decode(b64EncodedSecret)
)
Supersize that Secret!
![Page 11: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/11.jpg)
"Microservices are awesome, but they're not free."
- Les Hazlewood, Stormpath CTO
![Page 12: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/12.jpg)
Monolithic SOA
AuthenticationServiceAuthorizationServiceApplicationService
OrganizationServiceDirectoryServiceAccountServiceGroupService
DatabaseInfrastructure
![Page 13: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/13.jpg)
Microservices
DatabaseInfrastructure
GroupServiceAccountService
AuthenticationService AuthorizationService
ApplicationService OrganizationService DirectoryService
![Page 14: JWTs for CSRF and Microservices](https://reader035.fdocuments.us/reader035/viewer/2022062400/587821cc1a28aba12d8b6a3d/html5/thumbnails/14.jpg)
Resources• Repos used in today’s preso:
○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-
tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -
bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?
○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath