The Parts of JWT Security Nobody Talks About | Philippe De Ryck, Google Developer Expert
Рет қаралды 36,947
Күн бұрынJoin the "Full Stack Developers Israel" future meetups @ www.meetup.com/full-stack-deve...
JSON Web Tokens (JWT) have become the de facto standard to transfer application claims between the client and the server. By design, they incorporate the use of signatures to ensure the integrity of the data. However, merely signing the data alone is not enough to guarantee security.
In this talk, we zoom into the security properties of JWTs. After introducing the different signature schemes, we dive into the hard parts nobody talks about. How do you manage and identify the keys used for the signature? How do you handle key rotation? And what about encrypting JWTs? This talk answers all these questions. You will walk away with a set of best practices for adequately securing JWTs.
Philippe De Ryck is the founder of Pragmatic Web Security, where he travels the world to train developers on web security and security engineering. He holds a Ph.D. in web security from KU Leuven. Google recognizes Philippe as a Google Developer Expert for his knowledge of web security and security in Angular applications.
video production: מדיה'לה | Mediale
@hnasr 4 жыл бұрын
My god I learn so much from this talk! Loads of information and the presenter is knowledgeable!
@gjuoun 4 жыл бұрын
Unbelievable! I followed after watched your JWT crash course!
@prashanttiwari120 3 жыл бұрын
Hi Hussie, great to see your comment here
@philippec4448 2 жыл бұрын
You here, how am I not surprised !? By the way I really enjoy your videos, I’ve learned so much from them. Keep up the good work !
@hectormejia499 3 жыл бұрын
Holy crap, JWTs are insanely complex, very good talk! Also scares me that this is the defacto method for "simple and secure" authentication in most APIs.
@Deebool 4 жыл бұрын
Very clear and detailed yet concise. Thanks you very much!
@CodeDoctorJet 4 жыл бұрын
Excellent preso. As AppSec professionals we need these kinds of prescriptive information for our developers. I'll definitely be sharing the cheat sheet and recommending more use of things like key IDs rather than just basic jwt sharing. Good stuff.
@dmytroshchotkin2939 4 жыл бұрын
Thanks, SIr. It's a very good explanation! Indeed, very clear!
@Pownas89 2 жыл бұрын
Still a Really good talk where I’ve learned a lot and got a lot of the info confirmed from what others haven’t explained fully. Thanks for a good informative video! 😊
@dsebastien 5 жыл бұрын
Great presentation, thanks for sharing!
@robertodiana5821 4 жыл бұрын
the title maintains the promises
@manojlasantha8499 3 жыл бұрын
Great talk ! I learnt a lot from the talk.
@philippec4448 2 жыл бұрын
Awesome video ! So much to take from it. Thx for sharing it.
@amitparks 3 жыл бұрын
One of the best on JWT , JWS...
@MosheEshel 3 жыл бұрын
Excellent talk, I learned a lot of new things.
@stokitko 2 жыл бұрын
Thanks, you refined a lot for me. Guess what, I made an error when during validation of JWT doesn't checked an issuer with expected. It's funny because I had a hesitation to check it but was too busy by implementing sig verification. Thank you again, you saved billions (I hope) of my future users :)
@ILyaCyclone 3 жыл бұрын
Superb talk, sir!
@KunalMukherjee3701 3 жыл бұрын
Excellent power packed talk
@tommasoborgato 3 жыл бұрын
Great talk .... learned a lot of new stuff
@HenrryPires 3 жыл бұрын
Thanks, amazing talk
@liferajib 3 жыл бұрын
Best talk on JWT
@codefarm0 3 жыл бұрын
Super awesome. Tons of cool information. Thanks :)
@Tidaltwist 4 жыл бұрын
It'd have been helpful if there were timestamps for each part. But great talk though.
@ims-w6s 3 жыл бұрын
Really good talk on JWTs. Really interesting topics. But why the questions weren't added to the video?? Anyway, great!
@scottsmyth3251 4 жыл бұрын
super helpful thanks
@javadhosseini7524 4 жыл бұрын
thanks for your great video. I have a question. Is it good to store a jwk into a json file?
@philippederyck2572 4 жыл бұрын
Sure, it all depends on how that JWK is used. OpenID Discovery points to a JSON file containing the identity provider's keys ...
@metalbroga 4 жыл бұрын
i have a question that is related to “renewing” jwt, like those apps that never logs you out (like Facebook, instagram)?
@Deebool 4 жыл бұрын
I wonder about that part too (and security issues that goes along) !
@Rheenen 3 жыл бұрын
to renew an accesstoken, you send the expired accesstoken + refreshtoken, validate, and send back a new accesstoken if validation was ok. If not, then don't send back new access token.
@metalbroga 3 жыл бұрын
@@Rheenen Thanks for the clarification
@Cdswjp 2 жыл бұрын
Is symmetric signing ever preferred over asymmetric signing?
@j-tech9156 3 жыл бұрын
Got a lot
@SM-ok3sz 2 жыл бұрын
Good talk but holy crap is that pointing device annoying.
@mr.RAND5584 3 жыл бұрын
it is like md5 can be decoded public in their website jwt; just put the token their and it will give information;
@alvis7574 3 жыл бұрын
JWT is basically a digital envelope encrypted with some symmetric encryption algorithm. Could it secure your payload? Maybe. Could that be a problem for a hacker? Nope.
LocoMocoSec: Hawaii Product Security Conference
Рет қаралды 2,7 М.