Do you really know JWT? by Karim Pinchon

Security

Explore the ins and outs of JSON Web Tokens (JWT), a standard for secure claims representation, and learn best practices for implementation in APIs, web apps, and microservices.

Key takeaways
  • JWT is a standard for representing claims securely between two parties.
  • JWT consists of three parts: header, payload, and signature.
  • The header contains the algorithm used for signing and encoding.
  • The payload contains the claims or data to be transferred.
  • The signature is generated using a private key and used to verify the token.
  • JWT is used for authentication, authorization, and cryptography.
  • Symmetric and asymmetric algorithms are used for signing and encryption.
  • JWT has two implementations: JSON Web Signature (JWS) and JSON Web Encryption (JWE).
  • JWS is used for signing and authentication, while JWE is used for encryption and confidentiality.
  • JWT is used in APIs, web applications, and microservices.
  • JWT has security vulnerabilities, such as unsecured tokens, token tampering, and brute-force attacks.
  • Best practices for using JWT include using symmetric and asymmetric algorithms, validating the signature, and keeping the token compact.
  • JWT can be used for authentication, authorization, and cryptography.
  • JWT is used in OAuth2 and OpenID Connect.

More talks

DjangoCon 2022 | factory_boy: testing like a pro

Security in Drupal: what can go wrong?

Badge of Shame: Breaking into Secure Facilities with OSDP

Digital Signatures and Identity in Bitcoin | Todd Price | #LDNBlockchain23

MaginotDNS: Attacking the Boundary of DNS Caching Protection

"An IPC Language For The Whole Operating System" by Ian McKellar (Strange Loop 2022)

mTLS: When Certificate Authentication is Done Wrong

The Young Generation in Tech - How Are They Embracing AI and What Do They Value?