Stop Using JSON Web Tokens
Abstract
JSON Web Tokens (JWTs) are all the rage in the security world. They’re becoming more and more ubiquitous in web authentication libraries, and are commonly used to store a user’s identity information. In this talk, you’ll learn why you might want to reconsider the usage of JWTs.
Talk Description
JSON Web Tokens (JWTs) are all the rage in the security world. They’re becoming more and more ubiquitous in web authentication libraries, and are commonly used to store a user’s identity information.
In this talk Randall Degges, Lead Developer Advocate at Okta, will take you on an extensive tour of the web authentication landscape. You’ll learn how JWTs and Sessions work, and why JWTs are the worst possible solution for solving web authentication problems.
You’ll also learn the real reason behind JWTs rise to fame, and better ways to secure your websites that don’t involve misplaced hype.
Specifically, Randall will explain:
- How JWTs work
- How sessions work
- Why people like JWTs more than sessions
- Why all of the good things you heard about JWTs are incorrect
- How to properly secure websites using sessions
- Why JWTs are never the right solution
- How JWTs got so popular in the first place
- When should you use JWTs?
- Type: talk
- Expected length: 45min
- Intended audience: Intermediate
About the Author
Randall Degges leads Developer Advocacy at Okta, previously Stormpath, where he builds open source security libraries and helps make the internet a little safer. In a prior life, Randall was the CTO of OpenCNAM, the largest Caller ID API service. In his free time, Randall geeks out on web best practices, explores new technologies, and spends an inordinate amount of time writing Python, Node, and Go. As a fun fact, Randall runs ipify.org, one of the largest IP lookup APIs which serves over 30 billion requests per month.