Explore patterns and anti-patterns of JSON Web Tokens (JWTs) in this 33-minute conference talk from LASCON. Delve beyond basic JWT concepts to examine various use cases, including stateless tokens, server-side sessions, and service-to-service authentication. Learn about potential pitfalls such as weak HMAC secrets, lack of revocation mechanisms, and fragile key rotation. Discover alternatives like macaroons and gain insights on when to avoid using JWTs for sessions. Understand best practices for implementing JWTs securely, including the use of trusted libraries and registered claims.
Overview
Syllabus
Intro
Speaker: David Gilman
HTTP Cookie
Stateless Tokens
Server Side Session
Clifford Stoll's Chocolate Chip Cookie Recipe
Trying to be Everything to Everybody
JWTs as Sessions
Attaching with JavaScript
Weak HMAC Secrets
No Revocation
No Expiration
Database for Revocation
Refresh + Access Tokens
Fragile Built-In Signing Key Rotation
Fully Stateful
Multiple Overlapping Implementations
Service 2 Service Auth
Shared Token
Auth Service
Revocation via Cache
Hardcoded Algorithm
Use Alternatives
Use Trusted Libraries
Registered Claims
Macaroons Paper
Stop Using JWT for Sessions
Taught by
LASCON
