Security Cryptography Whatever What do we do about JWT? with Jonathan Rudenberg
Aug 12, 2021
Join Jonathan Rudenberg, a seasoned software engineer known for his work on Flynn and various authentication systems, as he dives deep into the world of tokens. He discusses the enduring relevance of JSON Web Tokens (JWT), critiques their security vulnerabilities, and compares them with other protocols like SAML and OIDC. Rudenberg also introduces alternatives like Peseto and macaroons, highlighting their unique advantages. Learn about the intricate challenges of certificate management in large organizations, and discover the future possibilities in token authentication!
AI Snips
Chapters
Transcript
Episode notes
JWT Is An Interoperable Session Bag
- JWT is essentially a cross-platform signed-session format: a JSON bag of attributes used like framework signed cookies.
- Its extensible cryptography and JSON format make it interoperable but invite many sharp edges.
Lock Down Token Profiles
- Always verify tokens with the right expectations: decode headers only to route to a fixed, out-of-band profile when necessary.
- For interoperability, prefer a static profile and reject all other algs and header values.
In-Band Algorithm Choice Is Dangerous
- JWT's header-driven algorithm choice enables type-confusion and 'none' algorithm attacks when verifiers trust in-band headers.
- This shows why binding algorithms and keys out-of-band is crucial for safety.