Java JWTs for CSRF Prevention and Microservices

JWTsfor

CSRF and Microservices

Welcome! • Agenda

• Stormpath 101 (5 mins)• JWT with CSRF & Microservices (40 mins)• Q&A (15 mins)

• Claire HunsakerVP of Marketing

• Micah SilvermanJava Developer Evangelist

Speed to Market & Cost Reduction• Complete Identity solution out-of-the-box• Security best practices and updates by default• Clean & elegant API/SDKs• Little to code, no maintenance

Stormpath User Management

User Data

User Workflows Google ID

Your ApplicationsApplication SDK

Application SDK

Application SDK

ID Integrations

Facebook

Active Directory

SAML

Let’s talk about CSRF!

encodeSecret =

"4pE8z3PBoHjnV1AhvGk+e8h2p+ShZpOnpr8cwHmMh1w="

computeHMACSHA256(

header + "." + payload,

base64DecodeToByteArray(encodedSecret)

)

Signature Computation Pseudo-code

JWTSecret Anti-Patterns

.signWith( SignatureAlgorithm.HS256, "secret".getBytes("UTF-8") )

Short but not Sweet

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS256,

b64EncodedSecret.getBytes("UTF-8")

)

You’re Doing it Wrong

String b64EncodedSecret = "Yn2kjibddFAWtnPJ2AFlL8WXmohJMCvigQggaEypa5E=";

.signWith(

SignatureAlgorithm.HS512,

TextCodec.BASE64.decode(b64EncodedSecret)

)

Supersize that Secret!

"Microservices are awesome, but they're not free."

- Les Hazlewood, Stormpath CTO

Monolithic SOA

AuthenticationServiceAuthorizationServiceApplicationService

OrganizationServiceDirectoryServiceAccountServiceGroupService

DatabaseInfrastructure

Microservices

DatabaseInfrastructure

GroupServiceAccountService

AuthenticationService AuthorizationService

ApplicationService OrganizationService DirectoryService

Resources• Repos used in today’s preso:

○ github.com/jwtk/jjwt○ github.com/stormpath/roadstorm-jwt-csrf-tutorial○ github.com/stormpath/roadstorm-jwt-microservices-

tutorial• JJWT Guest Post on Baeldung - bit.ly/29ZPZAd• Stormpath Microservices Screencast -

bit.ly/29Wi6iw• JWT Inspector - jwtinspector.io• HTTPie - github.com/jkbrzt/httpie• What are Microservices?

○ martinfowler.com/articles/microservices.html• @afitnerd @goStormpath

[email protected]