I have been talking with developers about JSON Web Tokens (JWTs) recently and a one question keeps coming up: “How do I revoke a JWT?”
If you poke around online, you’ll find that the most common answers are:
- Set the duration of the JWT to a short period (a few minutes)
- Implement complicated blacklisting techniques
There is not a simple solution because JWTs are designed to be portable, decoupled, identities. Once you authenticate against an identity provider (IdP) and get back a JWT, you don’t need to ask the IdP if the JWT is valid. This is particularly powerful when you use RSA public/private key signing. The IdP signs the JWT using the private key and then any service that has the public key can verify the integrity of the JWT.
Here’s a diagram that illustrates this architecture:
The Todo Backend can use the JWT and the public key to verify the JWT and then pull the user’s id (in this case the subject) out of the JWT. The Todo Backend can then use the user’s id to perform operations on that user’s data. However, because the Todo Backend isn’t verifying the JWT with the IdP, it has no idea if an administrator has logged into the IdP and locked or deleted that user’s account. Continue reading
At Inversoft, we like open source and we like Java.
When we built out our platform to support our new cloud product offerings we started using Chef to help us manage our deployment strategy.
When we began working on some new backend features for our cloud product offerings, I set out to find a Chef Client written in Java in order to simplify our integration.
As luck wouldn’t have it (yes you read that correctly), I was unable to find a Java library that really made my life easier. There are other Chef libraries out there, but all of them were very lightweight wrappers around HTTP calls. Some went so far as to return the JSON response from the Chef server as a String rather than right POJO.
Rather than limping along with a library that was essentially a glorified URLConnection, I did what any software engineer would do, I wrote it myself.
Behold Barista! A native binding for Chef that provides rich domain objects and REST bindings to work with a Chef server.
Building a properly authenticated HTTP request to Chef is not great fun, so I don’t suggest you do it yourself unless you enjoy the pain. We’ve done the heavy lifting for you and we did this without using any third party encryption libraries. This means you can pick up this library without dragging along any unnecessary dependencies like Bouncycastle.
We are honored to announce that Passport User Management won the DeveloperWeek 2016 Award for Top Innovator in API Services. We want thank everyone who voted and our team who works tirelessly to create high-quality software that real customers need and can rely on.
With the number of apps and mobile users projected to increase exponentially, developers who create the most advanced technology fastest will gain the competitive edge needed to stand out amongst competition.
The software industry is ever-changing. The field is highly dynamic, focused on building and changing the way we live, work and play. 2015 was a tumultuous year for developers.
IT was impacted by innovations from within as well as external factors, such as increased government regulations and cyber-crimes originating both in the U.S. and abroad.
If you’re not a developer or some other breed of nerd, you may be asking “What the heck is an API and why does everyone keep talking about them?” An API is defined as an ‘Application Programming Interface’. That definition doesn’t help much for for the non-technical, so in practical terms it is simply a documented way for one application to talk to another application.
Why are we talking about APIs? Because they are cool! Yes, APIs are cool. Let me explain.
API vs. Ford Model T
For the unfamiliar, you may more easily identify with a user interface and understand the importance. When you get into your car, unless you’re one of the few remaining Ford Model T owners, you don’t have to cross wires and yank on pulleys to operate your vehicle. These manual steps are not required because the designer built a user interface for you to operate your vehicle. The interface includes the steering wheel, gas and brake pedals and even some knobs to turn up and down the heat to keep you comfortable. The better this user interface is designed, the easier and more enjoyable it is to operate your vehicle.