The title of the talk should have been "Introduction to JWT + General best practices". The talk is pretty beginner oriented. If you have a slight idea about security, you won't loose much skipping it. Also right at the interesting bits when he talked about Vault, the screen shows the wrong slides, see 46:10 and 53:38
Do you also pass along signed tokens in message queues for identity propagation in addition to security? If so, is there a convention on how to do that (like the authorization bearer for http requests)?
First of all, nice prez! Although, I'd like to ask a question :) I don't seem to find the answer anywhere (it gotta be somewhere, I'm still looking) Anyway, I saw there are two ways implementation of security: 1- Authentication first, you get the token, and then you make requests reroutes through the gateway 2- Everything goes through the gateway, including authentication (it's considered as another microservice) So yeah, everyone shows the 1st implementation, where 2nd is also used but not very common, and I wanna ask why? I mean, if we're in a microservices architecture, why don't I have authentication behind the gateway as well? Is it more complicated (yeah, you'd have to reroute every authorization & authentication endpoints to retrieve the token), but would that be the only reason? Doesn't make sense to me ... Any thoughts?
1:00:40 you recommend to pass along the signed token from service A to service B. But in the token there is the 'aud' claim which is probably limited to the gateway. Should the audience verification be disabled on service B?
Brock Allen and Dominick Baier (the identity server guys) have talked about the audience claim and said it can be replaced with scopes for most scenarios. Unless you are into some SaaS scenarios with multiple instances of your token server sharing key signing material then it's safe to just use scopes. I would have each service know what scopes it's willing to accept and check incoming tokens for said scopes.
Really good throught process. First time I could understand how JWT can be hacked. I will never use the default verify implementation as that can lead to hacks, instead a custom verifyToken function can check on the specific algorithm instead of relying on algo types from jwt.
Shame on him for bringing in his political views (I'm sure endorsed by HashiCorp) into this talk. How smug, elitist, and opinionated, and assuming we all should and do agree or care about his political views.
@@vadym8713 the Swordsmith doesn't sweat about who the blade slays, just on how good the sword performs in the hands of a swordsman. *I'm just in for the tool, not politics* Technology is a tool, the TECH community should focus on the tool, not on who's using it and what's his/her political leanings.
@@samuelvishesh is that a rule? He is entitled to his own opinion, and you are entitled to not watch, or dismiss his political point of view and withdraw the technical information you find useful.
Good grief. I came here to learn, but got this instead: - some personal insert about politics - s-looow as molasses speech (no, speeding it up does not help because see my other points) - meandering, lack of structure - a whole bunch of talk about JWT. That's precisely what the talk is supposed to be about, right? oh, wait...
Agreed, mostly, although I did appreciate the content of the talk. The political "joke" was boring, I watched the whole video at 1.5 speed with ease, and the title could have more accurately described the content of the talk. However, I didn't think the content was lacking structure. I found the talk quite informative and thorough, especially for a developer working towards a JWT based system. If that's not you, then yeah... probably a bit of a waste of time.
Who would have thought that academic material would be so politically charged. You've offended many and you're so willing to do so. Think what you think, but I was disgusted to hear it.
Why would you get offended hearing someone else's political opinions, even if you disagree with them? It was a couple minute blurb in a talk. Agreed it was out of place, but..chill.
When you think you are funny and your political views must be presented within your presentation while you can not speak at normal speed. For god sake....
Imagine feeling offended because someone spent 30 seconds out of 65 minutes poking fun at an obvious idiot. Btw: this is RUclips. You can change the playback speed.
I have never listened to such unprofessional speech. This kind of public humiliation of someboody based on your opinion, which may seem true to you, is completely unacceptable. Watch some lectures on public behavior and then start talking about microservices.
![How Netflix Is Solving Authorization Across Their Cloud [I] - Manish Mehta & Torin Sandall, Netflix](/img/1.gif)
Hashicorp sounds like a futuristic crime org that grows illegal superorgans. I love it.
The title of the talk should have been "Introduction to JWT + General best practices". The talk is pretty beginner oriented. If you have a slight idea about security, you won't loose much skipping it.
Also right at the interesting bits when he talked about Vault, the screen shows the wrong slides, see 46:10 and 53:38
This is an amazing lecture! brilliantly taught!
What a great talk, thanks for sharing!
Hi Nick, good job on exposing to audience keys to care about AuthNZ. Thanks for your signature:)
Great talk!
Nic, amazing presentation!
This is very useful. Thanks Nic!
Excellent talk!
Do you also pass along signed tokens in message queues for identity propagation in addition to security? If so, is there a convention on how to do that (like the authorization bearer for http requests)?
First of all, nice prez!
Although, I'd like to ask a question :)
I don't seem to find the answer anywhere (it gotta be somewhere, I'm still looking)
Anyway, I saw there are two ways implementation of security:
1- Authentication first, you get the token, and then you make requests reroutes through the gateway
2- Everything goes through the gateway, including authentication (it's considered as another microservice)
So yeah, everyone shows the 1st implementation, where 2nd is also used but not very common, and I wanna ask why?
I mean, if we're in a microservices architecture, why don't I have authentication behind the gateway as well?
Is it more complicated (yeah, you'd have to reroute every authorization & authentication endpoints to retrieve the token), but would that be the only reason? Doesn't make sense to me ...
Any thoughts?
Thanks Nic. This was very helpful.
1:00:40 you recommend to pass along the signed token from service A to service B. But in the token there is the 'aud' claim which is probably limited to the gateway. Should the audience verification be disabled on service B?
Brock Allen and Dominick Baier (the identity server guys) have talked about the audience claim and said it can be replaced with scopes for most scenarios. Unless you are into some SaaS scenarios with multiple instances of your token server sharing key signing material then it's safe to just use scopes. I would have each service know what scopes it's willing to accept and check incoming tokens for said scopes.
What an explanation 🙏🏽😊.. thanks
Really good throught process. First time I could understand how JWT can be hacked. I will never use the default verify implementation as that can lead to hacks, instead a custom verifyToken function can check on the specific algorithm instead of relying on algo types from jwt.
I watch tech videos to learn about your political positions
What if a JWT expires though a process? e.g. is valid for one service but by the time it is passed to another it becomes invalid?
seems to very similar presentation i have seen in youtube
Keep politics out of TECH
Shame on him for bringing in his political views (I'm sure endorsed by HashiCorp) into this talk. How smug, elitist, and opinionated, and assuming we all should and do agree or care about his political views.
Sam it is funny how tech people want to stay out of the politics which using tech for ruining democracy and economics
@@vadym8713 the Swordsmith doesn't sweat about who the blade slays, just on how good the sword performs in the hands of a swordsman.
*I'm just in for the tool, not politics*
Technology is a tool, the TECH community should focus on the tool, not on who's using it and what's his/her political leanings.
@@samuelvishesh is that a rule?
He is entitled to his own opinion, and you are entitled to not watch, or dismiss his political point of view and withdraw the technical information you find useful.
@@shilpidey3184 Elitist? XD hahaha. Opinionated yes... but elitist?
Good grief. I came here to learn, but got this instead:
- some personal insert about politics
- s-looow as molasses speech (no, speeding it up does not help because see my other points)
- meandering, lack of structure
- a whole bunch of talk about JWT. That's precisely what the talk is supposed to be about, right? oh, wait...
Agreed, mostly, although I did appreciate the content of the talk. The political "joke" was boring, I watched the whole video at 1.5 speed with ease, and the title could have more accurately described the content of the talk. However, I didn't think the content was lacking structure. I found the talk quite informative and thorough, especially for a developer working towards a JWT based system. If that's not you, then yeah... probably a bit of a waste of time.
13:35 Why do I see Trump on my screen?
Damn.. if the host could just chit chat less about things only he thinks are funny and if he could speak a bit faster..
Thanks for the heads up -- playback 1.5x is pretty watchable
Who would have thought that academic material would be so politically charged. You've offended many and you're so willing to do so. Think what you think, but I was disgusted to hear it.
Why would you get offended hearing someone else's political opinions, even if you disagree with them? It was a couple minute blurb in a talk. Agreed it was out of place, but..chill.
Diddums
JWT tokens can easily be > 1.5 KB in size, not something I want to send around to my API infrastructure with every request.
Why impose your political opinions on a IT lecture. Very unprofessional
When you think you are funny and your political views must be presented within your presentation while you can not speak at normal speed. For god sake....
Imagine feeling offended because someone spent 30 seconds out of 65 minutes poking fun at an obvious idiot.
Btw: this is RUclips. You can change the playback speed.
Good topic has been ruined by this guy.
I have never listened to such unprofessional speech. This kind of public humiliation of someboody based on your opinion, which may seem true to you, is completely unacceptable.
Watch some lectures on public behavior and then start talking about microservices.