An excellent architectural overview of the options available for API authentication, that really explains why each scheme is better or worse than the others. Essential viewing for API architects.

It's rare that I put something on my "Liked videos" _and_ "Watch later" (again) list. This talk is one of them. 👌

I think that OAuth2 was made to solve the problem of delegating the authorization to a third part. But using it to make authorization on your own REST API is an overkill in my opinion.

yes but the point for OAuth2 originally was that the token was communicated through back channel between the web server and the resource server so it's harder for man-in-the-middle attack on the end user. OAuth2 was about authorisation. What you described as "just another fancy password" is actually Open ID Connect, which is built on top (retrofitted) of OAuth2, plus the implicit flow - which is not the usual OAuth2 flow.

This video is very interesting. I will have to watch it twice to fully understand all the implication of each technology. Thank you David Blevins.

Great explaination. Cleared all the queries.

Great talk... hats off! And the repetition does play a key role, because this needs to be emphasised.

2 minutes in and i already love the guy

I like David is so honest.

Very good Overview. Thanks !

thank you for including the part about JWT being pronounced "JOT!"

great video!!

Please explain where 0.55 TPS came from 32:21? 1000 users refresh their tokens once per hour (3600 seconds) = 0.27 TPS for refresh. 0.55 TPS would be in case of 30 minutes tokens expiration period (30 min * 60 = 1800 seconds)

33:40 hidden easter egg : *No Way Jose!* :D Who else noticed?

Amazing speech... it's like rest security is looking more like ssh

But where would one store current existing key_ids in a stateless system ? A common caching layer / server containing these keys would still be a bottleneck, albeit, a fast one. Would it be unsafe to encrypt the access token and pass the key within it ?

Great talk, it transpires that you know what you are talking about and you explained it very clearly

very good clear presentation.

Nice talk! Helped me a lot!

Great talk!!!

Excellent, I got it now

Excellent talk! Thanks a lot!

Great Talk. I've heard it live in Cologne and it improved my understanding of what to implement in which situation. Thanks a lot!

Best talk on REST security!!

This guy is hilarious. Great talk.

I am not getting how is 15000 TPS at LDAP ? Can anybody explain please ?

Very nice talk. Just one question: How would you handle the case that the JWT data gets too big to be sent on every request?

Excellent, but I have question... What if the token is stolen and issued from wrong origin?

Thank you !!

Excellent insight.. Pls share the slides..

At 16:18 just thinking that a username-password pair at least has a lookup based on the username and is stored as a hash on the server. Session IDs / tokens just rely on being random enough but I think they're not stored as securely on the server. Password logins should have at least some sort of a brute forcing prevention scheme in place like rate limiting, but then again rate limiting in a load balanced and distributed system would require a shared resource to do that. In the end the user agent is just sending in a bunch of bytes and the services are checking that against a table either raw or hashed. Some systems require the client to first fetch what is effectively a salt tied to the session they get at the same time and then send a hashed version of the password and username or whatever sequence of bytes they need to send in order to be authenticated. But like David says there only a limited number of ingredients here that people mix in order to try to secure things.

A fantastic talk. thanks!

This seems like a great lecture that I've made a point to come back to after several months. In terms of state, though, wouldn't a 'revocation' list for refresh tokens cause some state distribution and keeping?

I use node js crypto to encrypt and decrpt a json payload containing the user details. I don't know I'm probably the only one doing that lol. But I really need to know if this is vulnerable. Got sick and tired of the cumbersome npm modules with a Chunk of unnecessary code and a bunch of other npm modules. I mean bcrypt somes with some 40 node modules. LoL what? This is to hash a password? I think node js inbuilt crypto module handles that pretty easily.

If you've re-invented the wheel, you invented the wheel!

Great speech! very nice solution!

Great talk, learned a lot from it, thank you! :)

Excellent talk ... we need more presenters calling out BS on "new" techs which are 80% rehash of previous techs and provide little to no benefit to the end users. 'JWT = Cookie' lols awesome.

Man.. Such a great meat, but the rest of the 85% was a huge broken record player of rants. This probably could've covered the full content in 20 minutes instead

"Token sounds more official" XD

Your voice is like Mark Zuckerberg

Just merge and consolidate all the crap into one standard. WC3 needs an annual merge review to stop tech diarrhea.

Use Soap. It has security built in.