Overview
Explore the potential pitfalls of adding business logic to tokens in this 48-minute conference talk from NDC Conferences. Learn about the differences between ID tokens and access tokens, and understand the risks associated with adding numerous claims related to business logic. Discover the limitations and security concerns that arise from overloading tokens with excessive information. Follow the journey of the "Lost Puppy Project" to gain insights into best practices for token management. Examine the process of creating an Identity Server, testing APIs, and handling token validation. Delve into practical issues such as cookie size limitations, Kong gateway constraints, and the challenges of undocumented endpoints. Gain valuable knowledge on balancing convenience and security when working with tokens in identity management systems.
Syllabus
Introduction
About Linda
Lost Puppy Project
Key Tips
Basic Access Token
What happened when I took over
Picking a token
Reading the RFC
Token Scopes
Creating an Identity Server
Testing API
What could possibly go wrong
Application ID
API
Security Token Validator
Cookies
Max cookie size
Cookie Chunky Manager
Kong has limits
Kong has a big head
We cant get rid of them
Kong error fix
Removing the token
Why was this a problem
Two minds
Undocumented endpoints
Time
Story
Why do we have 14day access tokens
Recap
Love your puppy project
Lunch
Taught by
NDC Conferences