Explore the advantages of JSON Web Tokens (JWTs) in modern REST architectures through this comprehensive conference talk. Discover how JWTs offer a simpler, fully stateless, and easily scalable approach to session management, eliminating the need for server-side session storage and cluster replication. Learn about the inner workings of JWTs, proper client session handling between browser and server, and additional use cases. Examine the pros and cons of this technology while gaining insights into implementing JWTs in various scenarios, including API gateways and multipart forms. Delve into security considerations such as symmetric signatures, cross-site scripting attacks, and CSRF protection. Gain valuable knowledge on token management, including rotation of private keys, token identifiers, and expiration times.
Overview
Syllabus
Intro
My first computer
Small Elk
Code
HTTP Cookies
Recap
Session IDs
Problems with Session IDs
What did we do
The problem
RFC 77519
JWT vs Session ID
Token by Reference
What does it look like
Example
symmetric signature
both
OpenID
Blacklist
Crosssite scripting attacks
CSRF attack
How does it work
How to use it
Multipart forms
API Gateway
Conclusion
Limitations
Rotating private keys
Token identifier
Expiration time
Taught by
Devoxx
