SlideShare una empresa de Scribd logo

An Introduction to PASETO Tokens

All Things Open
All Things Open

Presented at: All Things Open 2019 Presented by: Randall Degges, Okta

Tecnología
1 de 21
Descargar para leer sin conexión
@rdegges @oktadev PASETO Tokens An Introduction to platform agnostic security tokens
@rdegges @oktadev Chief Hacker @okta python/js/go hacker builder open source author Hi, I'm Randall.
@rdegges @oktadev What's PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } Randall Degges PASETOs are always authenticated.
@rdegges @oktadev What are cryptographic signatures? Greetings, I am writing to inform you that you are the great grandson of a very wealthy king. I've been attempting to contact you to transfer your inheritance. Please send me your bank account details so I can initiate the transfer ASAP. Sincerely yours, Randall Degges I know who Randall is. I know what his signature looks like. I trust him. Therefore, I trust this information.
@rdegges @oktadev What are PASETOs for? Proving that JSON data can be trusted. { "name": "Randall Degges", "height": "6'0", "eyeColor": "brown" } single-use only short duration P
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQbase64-encoded URL safe!
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload
@rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload footer
@rdegges @oktadev What's inside a PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } claims
@rdegges @oktadev key name type example iss Issuer string {"iss": "okta.com"} sub Subject string {"sub": "test"} aud Audience string {"aud": "okta.com"} exp Expiration DateTime {"exp": "2019-10-31T00:00:00+00:00"} nbf Not Before DateTime {"nbf": "2019-10-31T00:00:00+00:00"} iat Issued At DateTime {"iat": "2019-10-31T00:00:00+00:00"} jti Token ID string {"jti": "ac478bc0-c73a-4a2c-8f00-186456cf8d88") kid Key-ID string {"kid": "stored in footer"} Who created the token? When does the token expire? When was the token created?
@rdegges @oktadev What are the different types of PASETOs? P P local public symmetric shared key simple asymmetricpublic key complicated encrypted not encrypted
@rdegges @oktadev How do local PASETOs work? v2.local.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQH MMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEyR P9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlliT rR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYAj QApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5M 4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ secret_key { json } fuck The secret_key is needed to both encrypt and decrypt the PASETO.
@rdegges @oktadev How do I use local PASETOs? www. P secret_key dl. { "purchaseID": "1234567", "permissions": [ "download:video1.mp4", "download:video2.mp4", "download:video3.mp4" ] } ?token=v2.local.xxx& file=video1.mp4 - Parse URL params - Decrypt token - Verify purchaseID - Verify permissions - Stream file to user video1.mp4 I want to download video1.mp4. secret_key - Validate request - Generate PASETO - Redirect
@rdegges @oktadev How do public PASETOs work? v2.public.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQ HMMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEy RP9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlli TrR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYA jQApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5 M4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ private key { json } I can see the data. The private key is needed to create the PASETO. The public key is need to validate the PASETO. public key
@rdegges @oktadev How do I use public PASETOs? website P public_key authorization server private_key public_key { "userID": "1234567" } I'd like to log in. - Authenticate the user - Generate a PASETO - Redirect the user back to the website ?token=v2.public.xxx - Parse the token out of the URL - Validate the token - Create a secure session using server-side session management
@rdegges @oktadev Why are PASETOs better than JWTs?
@rdegges @oktadev What's wrong with JWTs? Allows poor cryptography choices - RSA w/ PKCS #1v1.5 padding - RSA w/ OAEP Padding - Elliptic Curve Diffie-Hellman (ECDH) using Weierstrass curves - AES-GCM They're widely misused. Force implementations to strictly process the alg header. This causes forgery issues. Vulnerable to a padding oracle attack. Cryptographers recommend migrating away from RSA. Introduces risk of invalid-curve attacks that allow attackers to steal your secret keys. This is the wrong type of cryptography entirely. Using symmetric encryption when asymetric is needed.
@rdegges @oktadev Try PASETO! P paseto.io read the RFC find developer libraries discover articles
@rdegges @oktadev Thank You rdegges.com developer.okta.com

Recomendados

11th rep of ese.cmdy .banu
11th rep of ese.cmdy .banu11th rep of ese.cmdy .banu
11th rep of ese.cmdy .banuahsanrabbani
 
Spring Roo 2.0 Preview at Spring I/O 2016
Spring Roo 2.0 Preview at Spring I/O 2016 Spring Roo 2.0 Preview at Spring I/O 2016
Spring Roo 2.0 Preview at Spring I/O 2016 DISID
 
GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?Francois Zaninotto
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Proteus 8051lcd
Proteus 8051lcdProteus 8051lcd
Proteus 8051lcdmohsen_seif
 
Demystifying REST - SFRails meetup
Demystifying REST - SFRails meetupDemystifying REST - SFRails meetup
Demystifying REST - SFRails meetupKirsten Hunter
 
DNS May Be Hazardous to Your Health
DNS May Be Hazardous to Your HealthDNS May Be Hazardous to Your Health
DNS May Be Hazardous to Your HealthRobert Stucke
 

Recomendados

11th rep of ese.cmdy .banu
11th rep of ese.cmdy .banu11th rep of ese.cmdy .banu
11th rep of ese.cmdy .banuahsanrabbani
 
Spring Roo 2.0 Preview at Spring I/O 2016
Spring Roo 2.0 Preview at Spring I/O 2016 Spring Roo 2.0 Preview at Spring I/O 2016
Spring Roo 2.0 Preview at Spring I/O 2016 DISID
 
GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?GraphQL, l'avenir du REST ?
GraphQL, l'avenir du REST ?Francois Zaninotto
 
We-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooWe-built-a-honeypot-and-p4wned-ransomware-developers-too
We-built-a-honeypot-and-p4wned-ransomware-developers-tooChristiaan Beek
 
Securing the Web without site-specific passwords
Securing the Web without site-specific passwordsSecuring the Web without site-specific passwords
Securing the Web without site-specific passwordsFrancois Marier
 
Proteus 8051lcd
Proteus 8051lcdProteus 8051lcd
Proteus 8051lcdmohsen_seif
 
Demystifying REST - SFRails meetup
Demystifying REST - SFRails meetupDemystifying REST - SFRails meetup
Demystifying REST - SFRails meetupKirsten Hunter
 
DNS May Be Hazardous to Your Health
DNS May Be Hazardous to Your HealthDNS May Be Hazardous to Your Health
DNS May Be Hazardous to Your HealthRobert Stucke
 
Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5bilcorry
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Ricardo Fanjul Fandiño
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Mobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikMobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tomas Malmsten
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupHadoop User Group
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Fighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scaleFighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scaleAlexey Grigorev
 
Pagos electrónicos web
Pagos electrónicos webPagos electrónicos web
Pagos electrónicos webYerko Bravo
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub Kałużny"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub KałużnyPROIDEA
 
Svelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylishSvelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylishThe Software House
 
Porque VIM?
Porque VIM?Porque VIM?
Porque VIM?Augusto Pascutti
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMJonathan Katz
 
Your code is not a string
Your code is not a stringYour code is not a string
Your code is not a stringIngvar Stepanyan
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
 
Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 

Más contenido relacionado

Similar a An Introduction to PASETO Tokens

Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5bilcorry
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Ricardo Fanjul Fandiño
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeAndrea Cardinale
 
Mobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikMobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikBitcoin Barcamp
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tomas Malmsten
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupHadoop User Group
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015GregMefford
 
Fighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scaleFighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scaleAlexey Grigorev
 
Pagos electrónicos web
Pagos electrónicos webPagos electrónicos web
Pagos electrónicos webYerko Bravo
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub Kałużny"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub KałużnyPROIDEA
 
Svelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylishSvelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylishThe Software House
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMJonathan Katz
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)Joel Lord
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
 

Similar a An Introduction to PASETO Tokens (20)

Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5Introduction To Encryption in Lasso 8.5
Introduction To Encryption in Lasso 8.5
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
 
Logstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtimeLogstash for SEO: come monitorare i Log del Web Server in realtime
Logstash for SEO: come monitorare i Log del Web Server in realtime
 
Mobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras MendikMobile Bitcoin Wallet Security - Andras Mendik
Mobile Bitcoin Wallet Security - Andras Mendik
 
Tackling Legacy Code November 2015
Tackling Legacy Code November 2015Tackling Legacy Code November 2015
Tackling Legacy Code November 2015
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your Life
 
Yahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user groupYahoo! Mail antispam - Bay area Hadoop user group
Yahoo! Mail antispam - Bay area Hadoop user group
 
Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015Grokking Grok: Monitorama PDX 2015
Grokking Grok: Monitorama PDX 2015
 
Fighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scaleFighting fraud: finding duplicates at scale
Fighting fraud: finding duplicates at scale
 
Pagos electrónicos web
Pagos electrónicos webPagos electrónicos web
Pagos electrónicos web
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.
 
"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub Kałużny"We need to go deeper - testing inception apps" - Jakub Kałużny
"We need to go deeper - testing inception apps" - Jakub Kałużny
 
Svelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylishSvelte (adjective): Attractively thin, graceful, and stylish
Svelte (adjective): Attractively thin, graceful, and stylish
 
Porque VIM?
Porque VIM?Porque VIM?
Porque VIM?
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
 
Your code is not a string
Your code is not a stringYour code is not a string
Your code is not a string
 
I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)I Don't Care About Security (And Neither Should You)
I Don't Care About Security (And Neither Should You)
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 

Más de All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Más de All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Último

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

An Introduction to PASETO Tokens

  • 1. @rdegges @oktadev PASETO Tokens An Introduction to platform agnostic security tokens
  • 2. @rdegges @oktadev Chief Hacker @okta python/js/go hacker builder open source author Hi, I'm Randall.
  • 3. @rdegges @oktadev What's PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } Randall Degges PASETOs are always authenticated.
  • 4. @rdegges @oktadev What are cryptographic signatures? Greetings, I am writing to inform you that you are the great grandson of a very wealthy king. I've been attempting to contact you to transfer your inheritance. Please send me your bank account details so I can initiate the transfer ASAP. Sincerely yours, Randall Degges I know who Randall is. I know what his signature looks like. I trust him. Therefore, I trust this information.
  • 5. @rdegges @oktadev What are PASETOs for? Proving that JSON data can be trusted. { "name": "Randall Degges", "height": "6'0", "eyeColor": "brown" } single-use only short duration P
  • 6. @rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQbase64-encoded URL safe!
  • 7. @rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version
  • 8. @rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose
  • 9. @rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload
  • 10. @rdegges @oktadev What does a PASETO look like? P v2.public.eyJpZCI6ICJjNDQ1NDY1Mi05NWExLTQ2MzktODA0Y y0yZjc2MTVhNGMwMjciLCAibmFtZSI6ICJSYW5kYWxsIERlZ2dl cyIsICJleHAiOiAiMjAxOS0xMC0xMFQxMTowNDozNS0wNzowMCJ 9rUy35ian_44WAlMLVi5Wk4GGvDlmCpEWkldn1CH3RgLfo-VUWm xC9EPTBY8l0uoomavACbAIoo1OiGVNMew1Bw.eyJraWQiOiAiMT IzNDUifQ version purpose payload footer
  • 11. @rdegges @oktadev What's inside a PASETO? P { "id": "a5db284d-d22c-4a3d-b67e-60776fc24526", "email": "r@rdegges.com", "permissions": [ "download:file-a.mp4", "download:file-b.mp4", "download:file-c.mp4" ] } claims
  • 12. @rdegges @oktadev key name type example iss Issuer string {"iss": "okta.com"} sub Subject string {"sub": "test"} aud Audience string {"aud": "okta.com"} exp Expiration DateTime {"exp": "2019-10-31T00:00:00+00:00"} nbf Not Before DateTime {"nbf": "2019-10-31T00:00:00+00:00"} iat Issued At DateTime {"iat": "2019-10-31T00:00:00+00:00"} jti Token ID string {"jti": "ac478bc0-c73a-4a2c-8f00-186456cf8d88") kid Key-ID string {"kid": "stored in footer"} Who created the token? When does the token expire? When was the token created?
  • 13. @rdegges @oktadev What are the different types of PASETOs? P P local public symmetric shared key simple asymmetricpublic key complicated encrypted not encrypted
  • 14. @rdegges @oktadev How do local PASETOs work? v2.local.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQH MMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEyR P9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlliT rR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYAj QApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5M 4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ secret_key { json } fuck The secret_key is needed to both encrypt and decrypt the PASETO.
  • 15. @rdegges @oktadev How do I use local PASETOs? www. P secret_key dl. { "purchaseID": "1234567", "permissions": [ "download:video1.mp4", "download:video2.mp4", "download:video3.mp4" ] } ?token=v2.local.xxx& file=video1.mp4 - Parse URL params - Decrypt token - Verify purchaseID - Verify permissions - Stream file to user video1.mp4 I want to download video1.mp4. secret_key - Validate request - Generate PASETO - Redirect
  • 16. @rdegges @oktadev How do public PASETOs work? v2.public.vB7daJlQOL5sY8mQa_FWb6ZYbkNi8yeRqI-DCFNEPTYEu7ItQ HMMM5jzD_fw-G7l-AXJRBj3E9jxx9-JS5eG436WGUn03zYp2nuV3PVqppEy RP9LoZ1TTBREhR182NRcNYqUkM8FfazWegWcLc1gSzFXx0Kge4U7XHtAlli TrR8p09hH6qVpqAsgMdp00ao66JX_mxlEjkL3y784CoAK-gyy_ZZ1WzAvYA jQApl859RxnB9uLMpb-VURmetmrw9sC_Iw27to46ulTcMxx_KoSBem9eSG5 M4bvNQC5YFeDLIM2HXDf35YIo50.eyJraWQiOiAiMTIzNDUifQ private key { json } I can see the data. The private key is needed to create the PASETO. The public key is need to validate the PASETO. public key
  • 17. @rdegges @oktadev How do I use public PASETOs? website P public_key authorization server private_key public_key { "userID": "1234567" } I'd like to log in. - Authenticate the user - Generate a PASETO - Redirect the user back to the website ?token=v2.public.xxx - Parse the token out of the URL - Validate the token - Create a secure session using server-side session management
  • 18. @rdegges @oktadev Why are PASETOs better than JWTs?
  • 19. @rdegges @oktadev What's wrong with JWTs? Allows poor cryptography choices - RSA w/ PKCS #1v1.5 padding - RSA w/ OAEP Padding - Elliptic Curve Diffie-Hellman (ECDH) using Weierstrass curves - AES-GCM They're widely misused. Force implementations to strictly process the alg header. This causes forgery issues. Vulnerable to a padding oracle attack. Cryptographers recommend migrating away from RSA. Introduces risk of invalid-curve attacks that allow attackers to steal your secret keys. This is the wrong type of cryptography entirely. Using symmetric encryption when asymetric is needed.
  • 20. @rdegges @oktadev Try PASETO! P paseto.io read the RFC find developer libraries discover articles