Stormpath, profile picture
Uploaded byStormpath
PPTX, PDF870 views

JWTs for CSRF and Microservices

The document outlines a presentation on using JWTs (JSON Web Tokens) for CSRF (Cross-Site Request Forgery) protection in microservices, featuring a detailed agenda and key speakers from Stormpath. It includes discussions about security best practices, coding guidelines for JWTs, and integration options with various identity services. Additional resources such as GitHub repositories and informative links on microservices are also provided.

Embed presentation

Downloaded 10 times
JWTs for CSRF and Microservices
Welcome! • Agenda • Stormpath 101 (5 mins) • JWT with CSRF & Microservices (40 mins) • Q&A (15 mins) • Claire Hunsaker VP of Marketing • Micah Silverman Java Developer Evangelist
Speed to Market & Cost Reduction • Complete Identity solution out-of-the-box • Security best practices and updates by default • Clean & elegant API/SDKs • Little to code, no maintenance
Stormpath User Management User Data User Workflows Google ID Your Applications Application SDK Application SDK Application SDK ID Integrations Facebook Active Directory SAML
Let’s talk about CSRF!
encodeSecret = "4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w=" computeHMACSHA256( header + "." + payload, base64DecodeToByteArray(encodedSecret) ) Signature Computation Pseudo-code
JWT Secret Anti-Patterns
.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") ) Short but not Sweet
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS256, b64EncodedSecret.getBytes("UTF-8") ) You’re Doing it Wrong
String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E="; .signWith( SignatureAlgorithm.HS512, TextCodec.BASE64.decode(b64EncodedSecret) ) Supersize that Secret!
"Microservices are awesome, but they're not free." - Les Hazlewood, Stormpath CTO
Monolithic SOA AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService AccountService GroupService Database Infrastructure
Microservices Database Infrastructure GroupServiceAccountService AuthenticationService AuthorizationService ApplicationService OrganizationService DirectoryService
Resources • Repos used in today’s preso: ○ github.com/jwtk/jjwt ○ github.com/stormpath/roadstorm-jwt-csrf-tutorial ○ github.com/stormpath/roadstorm-jwt-microservices-tutorial • JJWT Guest Post on Baeldung - bit.ly/29ZPZAd • Stormpath Microservices Screencast - bit.ly/29Wi6iw • JWT Inspector - jwtinspector.io • HTTPie - github.com/jkbrzt/httpie • What are Microservices? ○ martinfowler.com/articles/microservices.html • @afitnerd @goStormpath support@stormpath.com

More Related Content

PPTX
Multi-Tenancy with Spring Boot
byStormpath
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
PPTX
Token Authentication in ASP.NET Core
byStormpath
 
PPTX
Spring Boot Authentication...and More!
byStormpath
 
PPTX
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
PDF
Mobile Authentication for iOS Applications - Stormpath 101
byStormpath
 
PPTX
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
PDF
JWTs in Java for CSRF and Microservices
byStormpath
 
Multi-Tenancy with Spring Boot
byStormpath
 
REST API Security: OAuth 2.0, JWTs, and More!
byStormpath
 
Token Authentication in ASP.NET Core
byStormpath
 
Spring Boot Authentication...and More!
byStormpath
 
Stormpath 101: Spring Boot + Spring Security
byStormpath
 
Mobile Authentication for iOS Applications - Stormpath 101
byStormpath
 
Secure API Services in Node with Basic Auth and OAuth2
byStormpath
 
JWTs in Java for CSRF and Microservices
byStormpath
 

What's hot

PPTX
Browser Security 101
byStormpath
 
PPTX
Intro to Apache Shiro
byClaire Hunsaker
 
PDF
Securing Web Applications with Token Authentication
byStormpath
 
PDF
Super simple application security with Apache Shiro
byMarakana Inc.
 
PPTX
Token Authentication for Java Applications
byStormpath
 
PDF
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
PPTX
Single-Page-Application & REST security
byIgor Bossenko
 
PPTX
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
PPTX
Spring Security
byManish Sharma
 
PPTX
Access Control Pitfalls v2
byJim Manico
 
PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
PDF
J2EE Security with Apache SHIRO
byCygnet Infotech
 
PPTX
How to Use Stormpath in angular js
byStormpath
 
PDF
The Ultimate Guide to Mobile API Security
byStormpath
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
PDF
Programming with Azure Active Directory
byJoonas Westlin
 
PPTX
Building a document e-signing workflow with Azure Durable Functions
byJoonas Westlin
 
PDF
Build a REST API for your Mobile Apps using Node.js
byStormpath
 
PPTX
Secure Your REST API (The Right Way)
byStormpath
 
PPTX
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 
Browser Security 101
byStormpath
 
Intro to Apache Shiro
byClaire Hunsaker
 
Securing Web Applications with Token Authentication
byStormpath
 
Super simple application security with Apache Shiro
byMarakana Inc.
 
Token Authentication for Java Applications
byStormpath
 
JavaOne 2014 - Securing RESTful Resources with OAuth2
byRodrigo Cândido da Silva
 
Single-Page-Application & REST security
byIgor Bossenko
 
ApacheCon 2014: Infinite Session Clustering with Apache Shiro & Cassandra
byDataStax Academy
 
Spring Security
byManish Sharma
 
Access Control Pitfalls v2
byJim Manico
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
byDerek Perkins
 
J2EE Security with Apache SHIRO
byCygnet Infotech
 
How to Use Stormpath in angular js
byStormpath
 
The Ultimate Guide to Mobile API Security
byStormpath
 
ConFoo 2015 - Securing RESTful resources with OAuth2
byRodrigo Cândido da Silva
 
Programming with Azure Active Directory
byJoonas Westlin
 
Building a document e-signing workflow with Azure Durable Functions
byJoonas Westlin
 
Build a REST API for your Mobile Apps using Node.js
byStormpath
 
Secure Your REST API (The Right Way)
byStormpath
 
API Security & Federation Patterns - Francois Lascelles, Chief Architect, Lay...
byCA API Management
 

Viewers also liked

PPTX
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
PPTX
Beautiful REST+JSON APIs with Ion
byStormpath
 
PPTX
Build a Node.js Client for Your REST+JSON API
byStormpath
 
PPTX
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
PPTX
REST API Design for JAX-RS And Jersey
byStormpath
 
PPTX
So long scrum, hello kanban
byStormpath
 
PDF
Getting Started With Angular
byStormpath
 
PDF
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
PDF
Building Beautiful REST APIs in ASP.NET Core
byStormpath
 
PPTX
Build A Killer Client For Your REST+JSON API
byStormpath
 
PPTX
Elegant Rest Design Webinar
byStormpath
 
PPTX
Storing User Files with Express, Stormpath, and Amazon S3
byStormpath
 
PPT
ID Next 2013 Keynote Slides by Mike Schwartz
byMike Schwartz
 
PPTX
Custom Data Search with Stormpath
byStormpath
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
byStormpath
 
Beautiful REST+JSON APIs with Ion
byStormpath
 
Build a Node.js Client for Your REST+JSON API
byStormpath
 
Instant Security & Scalable User Management with Spring Boot
byStormpath
 
REST API Design for JAX-RS And Jersey
byStormpath
 
So long scrum, hello kanban
byStormpath
 
Getting Started With Angular
byStormpath
 
Building Beautiful REST APIs with ASP.NET Core
byStormpath
 
Building Beautiful REST APIs in ASP.NET Core
byStormpath
 
Build A Killer Client For Your REST+JSON API
byStormpath
 
Elegant Rest Design Webinar
byStormpath
 
Storing User Files with Express, Stormpath, and Amazon S3
byStormpath
 
ID Next 2013 Keynote Slides by Mike Schwartz
byMike Schwartz
 
Custom Data Search with Stormpath
byStormpath
 

Similar to JWTs for CSRF and Microservices

PDF
Authorization and Authentication in Microservice Environments
byLeanIX GmbH
 
PPTX
Pentesting jwt
byJaya Kumar Kondapalli
 
PDF
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
PPTX
Microservices Security landscape
bySagara Gunathunga
 
PPTX
Microservices Security Landscape
byPrabath Siriwardena
 
PDF
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
PDF
Microservices Security Landscape
byPrabath Siriwardena
 
PPTX
Microservices security - jpmc tech fest 2018
byMOnCloud
 
PDF
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
byMatt Raible
 
PDF
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 
PDF
Authentication in microservice systems
byDavid Borsos
 
PPTX
Micro Web Service - Slim and JWT
byTuyen Vuong
 
PPTX
A recipe for standards-based Cloud IdM
byPaul Madsen
 
Authorization and Authentication in Microservice Environments
byLeanIX GmbH
 
Pentesting jwt
byJaya Kumar Kondapalli
 
muCon 2016: Authentication in Microservice Systems By David Borsos
byOpenCredo
 
Microservices Security landscape
bySagara Gunathunga
 
Microservices Security Landscape
byPrabath Siriwardena
 
Talk Microservices to Me: The Role of IAM in Microservice Architecture
byWSO2
 
Microservices Security Landscape
byPrabath Siriwardena
 
Microservices security - jpmc tech fest 2018
byMOnCloud
 
Microservices for the Masses with Spring Boot, JHipster, and JWT - Rich Web 2016
byMatt Raible
 
RoadSec 2017 - Trilha AppSec - APIs Authorization
byErick Belluci Tedeschi
 
Authentication in microservice systems
byDavid Borsos
 
Micro Web Service - Slim and JWT
byTuyen Vuong
 
A recipe for standards-based Cloud IdM
byPaul Madsen
 

Recently uploaded

PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
December Patch Tuesday
byIvanti
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
PDF
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
DOCX
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
PDF
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
PDF
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 
The year in review - MarvelClient in 2025
bypanagenda
 
Agentic Automation for Testers – A Hands-On Deep Dive
byUiPathCommunity
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
API206-S: Transforming Supply Chains with Amazon Bedrock AgentCore - AWS re:I...
byChris Bingham
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
December Patch Tuesday
byIvanti
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
TrustArc Webinar - Looking Ahead: The 2026 Privacy Landscape
byTrustArc
 
Making Sense of Raster: From Bit Depth to Better Workflows
bySafe Software
 
Introduction to the World of Computers (Hardware & Software)
byALIABBAS ABASOV
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
Ritesh_kumar_Aatmanirbhar Bharat: Make in India, Make for the World.pptx
byriteshrkgs2008
 
The Ultimate Guide to Problem Management Dashboards for IT Teams.pdf
byomnex systems
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
TPPmark2025 Kenta Inoue's answer 12/04/2025
byKenta Inoue
 
Greetings All Students Update 3 by Mia Corp
by©LDMMIA, ©Reiki Yoga
 

JWTs for CSRF and Microservices