SlideShare a Scribd company logo

Secure your SPA with Auth0

J
Joel Lord

The document discusses the challenges of traditional authentication methods, including the risks associated with managing multiple passwords and tightly coupled platforms. It highlights the use of OAuth and JSON Web Tokens (JWT) as modern solutions to secure applications, detailing token types including access and refresh tokens, as well as the structure of a JWT. The content is geared towards developers, emphasizing the need for more secure and efficient authentication practices.

Engineering
1 of 24
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Secure Your SPA Using Auth0
@joel__lord #confoo About Me @joel__lord joellord
But Why?
Delegation!
What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
What’s wrong with traditional auth? ! Multiple platforms connecting to your application ! Tightly coupled ! Sharing credentials to connect to another API ! Users have a gazillion passwords to remember, which increases security risks
OAuth - The Flows Authorization Code
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Authentication Flows Implicit Flow
Tokens 101
OAuth Tokens Access Token Refresh Token ! Give you access to a resource ! Controls access to your API ! Short lived ! Enables you to get a new token ! Longed lived ! Can be revoked
OAuth Tokens ! WS-Federated ! SAML ! JWT ! Custom stuff ! More…
JSON Web Token ! Header ! Payload ! Signature Header { "alg": "HS256", "typ": "JWT" } Payload { "sub": "1234567890", "name": "Joel Lord", "admin": true } Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
JSON Web Token ! Header ! Payload ! Signature Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 Payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG 9yZCIsImFkbWluIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlY WQgcG9zdHM6d3JpdGUifQ Signature XesR-pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
JSON Web Token ! Header ! Payload ! Signature eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj M0NTY3ODkwIiwibmFtZSI6IkpvZWwgTG9yZCIsImFkbWl uIjp0cnVlLCJzY29wZSI6InBvc3RzOnJlYWQgcG9zdHM6d 3JpdGUifQ.XesR- pKdlscHfUwoKvHnACqfpe2ywJ6t1BJKsq9rEcg
JSON Web Token ! Header ! Payload ! Signature Image: https://jwt.io
Auth Server API
Codiiiing Time!
Secure Your SPA js-Montreal, March 2018 @joel__lord joellord

More Related Content

PDF
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
PPTX
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PDF
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
PDF
The Shift from Federated to Decentralized Identity
Evernym
 
PDF
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
ODP
Overview of Decentralized Identity
Jim Flynn
 
PDF
OpenID for SSI
Torsten Lodderstedt
 
PDF
俺が考えた最強のID連携デザインパターン
Masaru Kurahayashi
 
Verifiable credentials explained by CCI
Kaliya "Identity Woman" Young
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
The Shift from Federated to Decentralized Identity
Evernym
 
OpenID Connect 入門 〜コンシューマーにおけるID連携のトレンド〜
Masaru Kurahayashi
 
Overview of Decentralized Identity
Jim Flynn
 
OpenID for SSI
Torsten Lodderstedt
 
俺が考えた最強のID連携デザインパターン
Masaru Kurahayashi
 

What's hot (20)

PDF
認証の課題とID連携の実装 〜ハンズオン〜
Masaru Kurahayashi
 
PDF
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
PPTX
REST API
Tofazzal Ahmed
 
PDF
「開けゴマ!」からYubiKeyへ
FIDO Alliance
 
PDF
OpenID Connect のビジネスチャンス
OpenID Foundation Japan
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PDF
OAuth 2.0 and OpenID Connect
Jacob Combs
 
PDF
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
SSIMeetup
 
PPTX
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
PPTX
Introducing OpenAPI Version 3.1
SmartBear
 
PDF
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
PPTX
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
PPTX
Building secure applications with keycloak
Abhishek Koserwal
 
PDF
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
PDF
What is self-sovereign identity (SSI)?
Evernym
 
PDF
OpenID Connect 4 SSI
Torsten Lodderstedt
 
PDF
なぜOpenID Connectが必要となったのか、その歴史的背景
Tatsuo Kudo
 
PDF
JSON WEB TOKEN
Knoldus Inc.
 
PDF
SAML Protocol Overview
Mike Schwartz
 
PPTX
REST & SOAP.pptx
ZawLwinTun2
 
認証の課題とID連携の実装 〜ハンズオン〜
Masaru Kurahayashi
 
OpenID for Verifiable Credentials
Torsten Lodderstedt
 
REST API
Tofazzal Ahmed
 
「開けゴマ!」からYubiKeyへ
FIDO Alliance
 
OpenID Connect のビジネスチャンス
OpenID Foundation Japan
 
Introduction to OpenID Connect
Nat Sakimura
 
OAuth 2.0 and OpenID Connect
Jacob Combs
 
Hyperledger Aries: Open Source Interoperable Identity Solution – Nathan George
SSIMeetup
 
FIDO Authentication: Unphishable MFA for All
FIDO Alliance
 
Introducing OpenAPI Version 3.1
SmartBear
 
EUDI wallets with OpenID for verifiable credentials (OID4VCI/OID4VP)
Lal Chandran
 
Understanding REST APIs in 5 Simple Steps
Tessa Mero
 
Building secure applications with keycloak
Abhishek Koserwal
 
OpenID for Verifiable Credentials (IIW 35)
Torsten Lodderstedt
 
What is self-sovereign identity (SSI)?
Evernym
 
OpenID Connect 4 SSI
Torsten Lodderstedt
 
なぜOpenID Connectが必要となったのか、その歴史的背景
Tatsuo Kudo
 
JSON WEB TOKEN
Knoldus Inc.
 
SAML Protocol Overview
Mike Schwartz
 
REST & SOAP.pptx
ZawLwinTun2
 
Ad

Similar to Secure your SPA with Auth0 (20)

PDF
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
PDF
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
PDF
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PPTX
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
PPTX
Single-Page-Application & REST security
Igor Bossenko
 
PDF
Demystifying OAuth 2.0
Karl McGuinness
 
PPTX
OAuth2 Introduction
Arpit Suthar
 
PDF
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
PDF
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
PDF
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
apidays
 
PDF
OAuth2
SPARK MEDIA
 
PDF
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
PDF
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
PPTX
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
PDF
OAuth2 and Spring Security
Orest Ivasiv
 
PDF
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
PDF
OAuth and why you should use it
Sergey Podgornyy
 
PDF
OAuth In The Real World : 10 actual implementations you can't guess
Mehdi Medjaoui
 
OAuth 2.0 for Web and Native (Mobile) App Developers
Prabath Siriwardena
 
[APIdays INTERFACE 2021] The Evolution of API Security for Client-side Applic...
WSO2
 
INTERFACE, by apidays - The Evolution of API Security by Johann Dilantha Nal...
apidays
 
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
REST API Security: OAuth 2.0, JWTs, and More!
Stormpath
 
Single-Page-Application & REST security
Igor Bossenko
 
Demystifying OAuth 2.0
Karl McGuinness
 
OAuth2 Introduction
Arpit Suthar
 
Securing Single-Page Applications with OAuth 2.0
Prabath Siriwardena
 
ConFoo 2015 - Securing RESTful resources with OAuth2
Rodrigo Cândido da Silva
 
INTERFACE by apidays - The State of OAuth by Aaron Parecki,
apidays
 
OAuth2
SPARK MEDIA
 
De la bonne utilisation de OAuth2
Leonard Moustacchis
 
Secure your APIs using OAuth 2 and OpenID Connect
Nordic APIs
 
Microservice security with spring security 5.1,Oauth 2.0 and open id connect
Nilanjan Roy
 
OAuth2 and Spring Security
Orest Ivasiv
 
Modern Security with OAuth 2.0 and JWT and Spring by Dmitry Buzdin
Java User Group Latvia
 
OAuth and why you should use it
Sergey Podgornyy
 
OAuth In The Real World : 10 actual implementations you can't guess
Mehdi Medjaoui
 
Ad

More from Joel Lord (20)

PDF
From Ceasar Cipher To Quantum Cryptography
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
Forgot Password? Yes I Did!
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
Mot de passe oublié? Absolument!
Joel Lord
 
PDF
Asynchronicity: concurrency. A tale of
Joel Lord
 
PDF
Learning Machine Learning
Joel Lord
 
PDF
Forgot Password? Yes I Did!
Joel Lord
 
PDF
WTH is a JWT
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
Forgot Password? Yes I Did!
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
WTH is a JWT
Joel Lord
 
PDF
Asynchonicity: concurrency. A tale of
Joel Lord
 
PDF
I Don't Care About Security
Joel Lord
 
PDF
I Don't Care About Security (And Neither Should You)
Joel Lord
 
PDF
Learning Machine Learning
Joel Lord
 
PDF
Learning Machine Learning
Joel Lord
 
From Ceasar Cipher To Quantum Cryptography
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Forgot Password? Yes I Did!
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Mot de passe oublié? Absolument!
Joel Lord
 
Asynchronicity: concurrency. A tale of
Joel Lord
 
Learning Machine Learning
Joel Lord
 
Forgot Password? Yes I Did!
Joel Lord
 
WTH is a JWT
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Forgot Password? Yes I Did!
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
WTH is a JWT
Joel Lord
 
Asynchonicity: concurrency. A tale of
Joel Lord
 
I Don't Care About Security
Joel Lord
 
I Don't Care About Security (And Neither Should You)
Joel Lord
 
Learning Machine Learning
Joel Lord
 
Learning Machine Learning
Joel Lord
 

Recently uploaded (20)

PDF
Software Testing Tools - names and explanation
shruti533256
 
PDF
Cryptography and Information :Security Fundamentals
Dr. Madhuri Jawale
 
PDF
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
PDF
Zero Carbon Building Performance standard
BassemOsman1
 
PDF
2025 Laurence Sigler - Advancing Decision Support. Content Management Ecommer...
Francisco Javier Mora Serrano
 
PDF
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
PPTX
FUNDAMENTALS OF ELECTRIC VEHICLES UNIT-1
MikkiliSuresh
 
PPTX
business incubation centre aaaaaaaaaaaaaa
hodeeesite4
 
PDF
Introduction to Ship Engine Room Systems.pdf
Mahmoud Moghtaderi
 
PDF
2010_Book_EnvironmentalBioengineering (1).pdf
EmilianoRodriguezTll
 
PDF
dse_final_merit_2025_26 gtgfffffcjjjuuyy
rushabhjain127
 
PDF
Unit I Part II.pdf : Security Fundamentals
Dr. Madhuri Jawale
 
PDF
LEAP-1B presedntation xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hatem173148
 
PDF
flutter Launcher Icons, Splash Screens & Fonts
Ahmed Mohamed
 
PPTX
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
PDF
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
PPTX
MT Chapter 1.pptx- Magnetic particle testing
ABCAnyBodyCanRelax
 
DOCX
SAR - EEEfdfdsdasdsdasdasdasdasdasdasdasda.docx
Kanimozhi676285
 
PDF
Traditional Exams vs Continuous Assessment in Boarding Schools.pdf
The Asian School
 
PDF
Natural_Language_processing_Unit_I_notes.pdf
sanguleumeshit
 
Software Testing Tools - names and explanation
shruti533256
 
Cryptography and Information :Security Fundamentals
Dr. Madhuri Jawale
 
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
Zero Carbon Building Performance standard
BassemOsman1
 
2025 Laurence Sigler - Advancing Decision Support. Content Management Ecommer...
Francisco Javier Mora Serrano
 
67243-Cooling and Heating & Calculation.pdf
DHAKA POLYTECHNIC
 
FUNDAMENTALS OF ELECTRIC VEHICLES UNIT-1
MikkiliSuresh
 
business incubation centre aaaaaaaaaaaaaa
hodeeesite4
 
Introduction to Ship Engine Room Systems.pdf
Mahmoud Moghtaderi
 
2010_Book_EnvironmentalBioengineering (1).pdf
EmilianoRodriguezTll
 
dse_final_merit_2025_26 gtgfffffcjjjuuyy
rushabhjain127
 
Unit I Part II.pdf : Security Fundamentals
Dr. Madhuri Jawale
 
LEAP-1B presedntation xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
hatem173148
 
flutter Launcher Icons, Splash Screens & Fonts
Ahmed Mohamed
 
IoT_Smart_Agriculture_Presentations.pptx
poojakumari696707
 
July 2025: Top 10 Read Articles Advanced Information Technology
ijait
 
MT Chapter 1.pptx- Magnetic particle testing
ABCAnyBodyCanRelax
 
SAR - EEEfdfdsdasdsdasdasdasdasdasdasdasda.docx
Kanimozhi676285
 
Traditional Exams vs Continuous Assessment in Boarding Schools.pdf
The Asian School
 
Natural_Language_processing_Unit_I_notes.pdf
sanguleumeshit
 

Secure your SPA with Auth0