Overview
Syllabus
Intro
Speaker: David Gilman
HTTP Cookie
Stateless Tokens
Server Side Session
Clifford Stoll's Chocolate Chip Cookie Recipe
Trying to be Everything to Everybody
JWTs as Sessions
Attaching with JavaScript
Weak HMAC Secrets
No Revocation
No Expiration
Database for Revocation
Refresh + Access Tokens
Fragile Built-In Signing Key Rotation
Fully Stateful
Multiple Overlapping Implementations
Service 2 Service Auth
Shared Token
Auth Service
Revocation via Cache
Hardcoded Algorithm
Use Alternatives
Use Trusted Libraries
Registered Claims
Macaroons Paper
Stop Using JWT for Sessions
Taught by
LASCON