Presentations
Templates
Features
Teams
Pricing
Log in
Sign up

Log in
Sign up

A Token Walks Into a Bar ...

SPA

Ado Kukic

Developer Evangelist

Auth0

@kukicado

SPA

Security Best Practices

...

https://piedpiper.com

User

📃

https://api.piedpiper.com

https://app.piedpiper.com

PiedPiper

OK, PiedPiper

JSON Web Tokens

JWT's (RFC 7519) are an open industry standard method for representing claims securely between two parties.

JSON Web Tokens

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

How is a Drivers License like a JSON Web Token?

Header

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Drivers License

New York State

{
  "alg":"HS256",
  "typ":"JWT"
}

Payload

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

Picture

Name

Address

Demographics

Restrictions

{
  "sub": "1234567890",
  "given_name": "Thor",      
  "family_name" : "Odinson",
  "admin": true
}

Signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOmZhbHNlfQ.uI_rNanTsZ_wFa1VnICzq2txKeYPArda5QLdVeQYFGI

UV Light

Hologram

HMACSHA256(
  header + "." + payload,
  "lokisucks"
)

👍

📝

✋

💰

🔗

/v1/orders

✋

{ "status": 401 }

🔑

/v1/auth

🈺

{ 
  "status": 200,
  "jwt" :"eyJhbGciOiJIU.." 
}

🔗🈺

/v1/orders

-H "Authorization: Bearer eyJhbGciOiJ..."

📃

{ 
  "status": 200,
  "order_id" : 138,
  "total_cost" : 27.99,
  ...
}

🔑

🈺

🔗🈺

📃

🔑

🈺

🔗🈺

📃

🔄

🈺

🔗🈺

📃

Resources

Overview of JWT Signing Algorithms

http://bit.ly/jwt-alg

Slides

http://bit.ly/devops-jwt

General JWT Resources

jwt.io

Summary

JSON Web Tokens are excellent for securing SPA applications.

Many excellent HTTP Libraries exist and makes it easy to work with JWT's.

Single Page Application security is mainly concerned with authorization.

A security guard couldn't stop Thor, but your server can refuse requests without valid JWT's.

Thank You

@kukicado

A Token Walks Into a Bar ... SPA

A Token Walks Into a Bar (DevOpsDays Denver)

By Ado Kukic

Made with Slides.com

A Token Walks Into a Bar (DevOpsDays Denver)

7 years ago
828

Ado Kukic

kukicado

More from Ado Kukic

Implementing Modern Identity and SIWA

Ado Kukic

815
DT-X Talk

Ado Kukic

833
UXDX Workshop

Ado Kukic

910
Modern Identity Management Means No Compromise

Ado Kukic

875

Tour

Presentations Trending decks Templates Features Pricing Slides for Teams Slides for Developers

Help

Forum Knowledge Base Developers Docs Leave Feedback Report an Issue

Company

News Changelog About Slides Security Partners

Resources

Make slides with AI Embed Google Maps Embed Google Forms Embed YouTube Convert PDF to Slides Convert PPT to Slides Convert Markdown to Slides

Terms • Privacy • © 2025 Slides, Inc.

BESbswyBESbswyBESbswyBESbswy