Holy crap, JWTs are insanely complex, very good talk! Also scares me that this is the defacto method for "simple and secure" authentication in most APIs.
Excellent preso. As AppSec professionals we need these kinds of prescriptive information for our developers. I'll definitely be sharing the cheat sheet and recommending more use of things like key IDs rather than just basic jwt sharing. Good stuff.
Thanks, you refined a lot for me. Guess what, I made an error when during validation of JWT doesn't checked an issuer with expected. It's funny because I had a hesitation to check it but was too busy by implementing sig verification. Thank you again, you saved billions (I hope) of my future users :)
Still a Really good talk where I’ve learned a lot and got a lot of the info confirmed from what others haven’t explained fully. Thanks for a good informative video! 😊
to renew an accesstoken, you send the expired accesstoken + refreshtoken, validate, and send back a new accesstoken if validation was ok. If not, then don't send back new access token.
JWT is basically a digital envelope encrypted with some symmetric encryption algorithm. Could it secure your payload? Maybe. Could that be a problem for a hacker? Nope.
My god I learn so much from this talk! Loads of information and the presenter is knowledgeable!
Unbelievable!
I followed after watched your JWT crash course!
Hi Hussie, great to see your comment here
You here, how am I not surprised !? By the way I really enjoy your videos, I’ve learned so much from them. Keep up the good work !
Holy crap, JWTs are insanely complex, very good talk! Also scares me that this is the defacto method for "simple and secure" authentication in most APIs.
Excellent preso. As AppSec professionals we need these kinds of prescriptive information for our developers. I'll definitely be sharing the cheat sheet and recommending more use of things like key IDs rather than just basic jwt sharing. Good stuff.
Very clear and detailed yet concise. Thanks you very much!
Thanks, SIr.
It's a very good explanation!
Indeed, very clear!
Thanks, you refined a lot for me. Guess what, I made an error when during validation of JWT doesn't checked an issuer with expected. It's funny because I had a hesitation to check it but was too busy by implementing sig verification. Thank you again, you saved billions (I hope) of my future users :)
Still a Really good talk where I’ve learned a lot and got a lot of the info confirmed from what others haven’t explained fully. Thanks for a good informative video! 😊
Really good talk on JWTs. Really interesting topics. But why the questions weren't added to the video?? Anyway, great!
It'd have been helpful if there were timestamps for each part. But great talk though.
Awesome video ! So much to take from it. Thx for sharing it.
the title maintains the promises
Is symmetric signing ever preferred over asymmetric signing?
One of the best on JWT , JWS...
i have a question that is related to “renewing” jwt, like those apps that never logs you out (like Facebook, instagram)?
I wonder about that part too (and security issues that goes along) !
to renew an accesstoken, you send the expired accesstoken + refreshtoken, validate, and send back a new accesstoken if validation was ok. If not, then don't send back new access token.
@@Rheenen Thanks for the clarification
Superb talk, sir!
Excellent talk, I learned a lot of new things.
Great talk ! I learnt a lot from the talk.
Excellent power packed talk
Super awesome. Tons of cool information. Thanks :)
Great presentation, thanks for sharing!
Best talk on JWT
thanks for your great video. I have a question. Is it good to store a jwk into a json file?
Sure, it all depends on how that JWK is used. OpenID Discovery points to a JSON file containing the identity provider's keys ...
Thanks, amazing talk
super helpful thanks
Great talk .... learned a lot of new stuff
Good talk but holy crap is that pointing device annoying.
it is like md5 can be decoded public in their website jwt; just put the token their and it will give information;
Got a lot
JWT is basically a digital envelope encrypted with some symmetric encryption algorithm. Could it secure your payload? Maybe. Could that be a problem for a hacker? Nope.