[B! jwt] teppeisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯

teppeis id:teppeis

jwtã«é–¢ã™ã‚‹teppeisã®ãƒ–ãƒƒã‚¯ãƒžãƒ¼ã‚¯ (28)

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

${{author_name}}$
{{author_name}}{{created}}
{{ #comment }}{{ comment }}{{ /comment }}
- {{ label }}

${{author_name}}$

{{{comment_expanded}}}

{{label}}

{{#is_bookmark}}ãƒªã‚¹ãƒˆ{{/is_bookmark}}{{^is_bookmark}}ãƒªãƒ³ã‚¯{{/is_bookmark}}

[2023-01-31 12:00 JST æ›´æ–°] JWTã®ã‚·ãƒ¼ã‚¯ãƒ¬ãƒƒãƒˆãƒã‚¤ã‚ºãƒ‹ãƒ³ã‚°ã«é–¢ã™ã‚‹å•é¡Œ
2019å¹´1æœˆ30æ—¥ PST æœ¬è„†å¼±æ€§ã®æ‚ªç”¨ã‚·ãƒŠãƒªã‚ªã®å‰ææ¡ä»¶ã«é–¢ã™ã‚‹ã‚³ãƒŸãƒ¥ãƒ‹ãƒ†ã‚£ã‹ã‚‰ã®ãƒ•ã‚£ãƒ¼ãƒ‰ãƒãƒƒã‚¯ã‚’å—ã‘ã€ç§ãŸã¡ã¯Auth0ã¨å”åŠ›ã—ã¦CVE-2022-23529ã‚’æ’¤å›žã™ã‚‹ã“ã¨ã‚’æ±ºå®šã—ã¾ã—ãŸã€‚ æœ¬ç¨¿ã§è§£èª¬ã—ãŸã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®å•é¡Œã¯JsonWebTokenãƒ©ã‚¤ãƒ–ãƒ©ãƒªãŒå®‰å…¨ã§ãªã„æ–¹æ³•ã§ä½¿ç”¨ã•ã‚ŒãŸå ´åˆã«ã¯ä¾ç„¶ã¨ã—ã¦æ‡¸å¿µã•ã‚Œã‚‹ã‚‚ã®ã§ã™ã€‚ãã®ã‚·ãƒŠãƒªã‚ªã§ã¯ã€ã™ã¹ã¦ã®å‰ææ¡ä»¶ã‚’æº€ãŸã›ã°ã“ã®å•é¡Œã‚’æ‚ªç”¨ã§ãã‚‹å¯èƒ½æ€§ãŒã‚ã‚Šã¾ã™ã€‚ç§ãŸã¡ã¯ã€ãã®å ´åˆã®ãƒªã‚¹ã‚¯ã®å¤§å…ƒã¯ãƒ©ã‚¤ãƒ–ãƒ©ãƒªå´ã§ãªãå‘¼ã³å‡ºã—å´ã®ã‚³ãƒ¼ãƒ‰ã«ã‚ã‚‹ã“ã¨ã«åŒæ„ã—ã¾ã™ã€‚ ã“ã®å•é¡Œã«å¯¾å‡¦ã™ã‚‹ãŸã‚JsonWebTokenã®ã‚³ãƒ¼ãƒ‰ã«ã¯é‡è¦ãªã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ãƒã‚§ãƒƒã‚¯ãŒè¿½åŠ ã•ã‚Œã¾ã—ãŸã€‚ jsonwebtoken 8.5.1ä»¥å‰ã®ãƒãƒ¼ã‚¸ãƒ§ãƒ³ã‚’ãŠä½¿ã„ã®å ´åˆã¯æœ€æ–°ç‰ˆã®9.0.0ã«ã‚¢ãƒƒãƒ—ãƒ‡ãƒ¼ãƒˆã™ã‚‹ã“ã¨ã‚’ãŠå‹§ã‚ã—ã¾ã™ã€‚æœ€æ–°ç‰ˆã§ã¯åŒã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å•é¡Œã‚’å«ã‚€å•é¡Œã‚’ä¿®æ£æ¸ˆã¿ã§ã€ã‚ˆã‚Šå®‰å…¨ãª
teppeis 2023/01/11
jwt

security

vulnerability
ãƒªãƒ³ã‚¯
ã‚µãƒ¼ãƒã‚µã‚¤ãƒ‰ã§JWTã®å³æ™‚ç„¡åŠ¹åŒ–æ©Ÿèƒ½ã‚’æŒã£ã¦ã„ãªã„ã‚µãƒ¼ãƒ“ã‚¹ã¯è„†å¼±ãªã®ã‹ï¼Ÿ - ãã‚ã®é›‘è¨˜å¸³
ãã£ã‹ã‘ æ˜¨å¹´(2021å¹´9æœˆã”ã‚)ã«å¾³ä¸¸ã•ã‚“ã®ã“ã®ãƒ„ã‚¤ãƒ¼ãƒˆã‚’è¦‹ã¦ã€ã€Œ2022å¹´ã«ã¯JWTã‚’ç”¨ã„ãŸã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã«ä»£è¡¨ã•ã‚Œã‚‹ã€ã‚¹ãƒ†ãƒ¼ãƒˆãƒ¬ã‚¹ãªã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã¯ä¸–ã®ä¸ã«å—ã‘å…¥ã‚Œã‚‰ã‚Œãªããªã£ã¦ã„ãã®ã ã‚ã†ã‹ï¼Ÿã€ã¨æ€ã£ã¦ã„ã¾ã—ãŸã€‚ OWASP Top 10 2021 A1ã«ã€ŒJWT tokens should be invalidated on the server after logout.ã€ï¼ˆç§è¨³:JWTãƒˆãƒ¼ã‚¯ãƒ³ã¯ãƒã‚°ã‚¢ã‚¦ãƒˆå¾Œã«ã‚µãƒ¼ãƒãƒ¼ä¸Šã§ç„¡åŠ¹åŒ–ã™ã¹ãã§ã™ï¼‰ã¨æ›¸ã„ã¦ã‚ã‚‹ã‘ã©ã€ã©ã†ã‚„ã£ã¦ç„¡åŠ¹åŒ–ã™ã‚‹ã‚“ã ?Â ãƒ–ãƒ©ãƒƒã‚¯ãƒªã‚¹ãƒˆã«å…¥ã‚Œã‚‹?https://t.co/bcdldF82Bwâ€” å¾³ä¸¸ æµ© (@ockeghem) 2021å¹´9æœˆ10æ—¥ JWTå¤§å¥½ããªçš†ã•ã‚“ã€ã“ã“ã¯ã‚¦ã‚©ãƒƒãƒã—ãªã„ã¨ã ã‚ã§ã™ã‚ˆã€‚ã“ã‚ŒãŒãã®ã¾ã¾é€šã£ãŸã‚‰ã€ãƒã‚°ã‚¢ã‚¦ãƒˆæ©Ÿèƒ½ã§JWTã®å³æ™‚ç„¡åŠ¹åŒ–ã‚’ã—ã¦ã„ãªã„ã‚µã‚¤ãƒˆã¯è„†å¼±æ€§è¨ºæ–ã§ã€ŒOWASP Top
teppeis 2022/04/18
jwt

security

oauth
ãƒªãƒ³ã‚¯
5 different approaches to invalidate JSON Web Tokens
teppeis 2022/04/18
jwt

auth
ãƒªãƒ³ã‚¯
SPAã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£å…¥é–€ï½žPHP Conference Japan 2021
ã“ã¡ã‚‰ã®ã‚¹ãƒ©ã‚¤ãƒ‰ã¯ä»¥ä¸‹ã®ã‚µã‚¤ãƒˆã«ã¦é–²è¦§ã„ãŸã ã‘ã¾ã™ã€‚ https://www.docswell.com/s/ockeghem/ZM6VNK-phpconf2021-spa-security ã‚·ãƒ³ã‚°ãƒ«ãƒšãƒ¼ã‚¸ã‚¢ãƒ—ãƒªã‚±ãƒ¼ã‚·ãƒ§ãƒ³(SPA)ã«ãŠã„ã¦ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³IDã‚„ãƒˆãƒ¼ã‚¯ãƒ³ã®æ ¼ç´å ´æ‰€ã¯Cookieã‚ã‚‹ã„ã¯localStorageã®ã„ãšã‚ŒãŒè‰¯ã„ã®ã‹ãªã©ã€ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®èª²é¡ŒãŒãƒãƒƒãƒˆä¸Šã§è°è«–ã•ã‚Œã¦ã„ã¾ã™ãŒã€æ®‹å¿µãªãŒã‚‰é–“é•ã£ãŸå‰æã«åŸºã¥ãã‚‚ã®ãŒå¤šã„ã‚ˆã†ã§ã™ã€‚ã“ã®ãƒˆãƒ¼ã‚¯ã§ã¯ã€SPAã®ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã‚’æ§‹æˆã™ã‚‹åŸºç¤ŽæŠ€è¡“ã‚’èª¬æ˜Žã—ãŸå¾Œã€è‘—åãªãƒ•ãƒ¬ãƒ¼ãƒ ãƒ¯ãƒ¼ã‚¯ãªçŠ¶æ³ã¨ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã®æŠ€è¡“ç†è§£ã®ç¾çŠ¶ã‚’è¸ã¾ãˆã€SPAã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ã®ç¾å®Ÿçš„ãªæ–¹æ³•ã«ã¤ã„ã¦èª¬æ˜Žã—ã¾ã™ã€‚ å‹•ç”»ã¯ã“ã¡ã‚‰ https://www.youtube.com/watch?v=pc57hw6haXk
teppeis 2021/10/06
ã¡ã‚ƒã‚“ã¨ãƒªã‚¹ã‚¯è©•ä¾¡ã—ã¾ã—ã‚‡ã†ã¨ã„ã†è©±

auth

security

jwt

cors

cookie
ãƒªãƒ³ã‚¯
JWT ã®æœ€æ–°ãƒ™ã‚¹ãƒˆ ãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ã«é–¢ã™ã‚‹ãƒ‰ãƒ©ãƒ•ãƒˆã‚’èªã¿è§£ã
IETF ã® OAuth Working Groupã¯ã€ã‚¢ã‚¤ãƒ‡ãƒ³ãƒ†ã‚£ãƒ†ã‚£åˆ†é‡Žã«ãŠã‘ã‚‹æ¨™æº–ã®ä½œæˆã¨æ”¹è‰¯ã«ç†±å¿ƒã«å–ã‚Šçµ„ã‚“ã§ã„ã¾ã™ã€‚ã“ã®è¨˜äº‹ã§ã¯ JSON Web Token (JWT) ã®æœ€æ–°ãƒ™ã‚¹ãƒˆ ãƒ—ãƒ©ã‚¯ãƒ†ã‚£ã‚¹ã«ã¤ã„ã¦æ›¸ã‹ã‚ŒãŸç›´è¿‘ã®ãƒ‰ãƒ©ãƒ•ãƒˆã«ã¤ã„ã¦å–ã‚Šä¸Šã’ã¾ã™ã€‚å¯¾è±¡ã®ãƒ‰ãƒ©ãƒ•ãƒˆã§ã¯ã€JWT ã®ä½¿ç”¨ã«éš›ã—ã¦é™¥ã‚ŠãŒã¡ãªè½ã¨ã—ç©´ã‚„ã€ã‚ˆãè¦‹ã‚‰ã‚Œã‚‹æ”»æ’ƒæ–¹æ³•ã«åŠ ãˆã¦ã€ãã†ã—ãŸå•é¡Œã«å¯¾ã™ã‚‹è»½æ¸›ç–ã®å®Ÿæ–½æ–¹æ³•ã‚’ç´¹ä»‹ã—ã¦ã„ã¾ã™ã®ã§ã€ãœã²ã”ä¸€èªãã ã•ã„ã€‚ â€œJWT ã‚’æ¨™çš„ã¨ã™ã‚‹ç‰¹ã«ä¸€èˆ¬çš„ãªæ”»æ’ƒæ–¹æ³•ã¨ã€å…·ä½“çš„ãªä¿è·å¯¾ç–ãŒç´¹ä»‹ã•ã‚Œã¦ã„ã¾ã™â€ Tweet Thisã¯ã˜ã‚ã«JSON Web Token (JWT) ä»•æ§˜ã¯ã€2 è€…é–“ã§ã®ã‚¯ãƒ¬ãƒ¼ãƒ (å±žæ€§æƒ…å ±) ã®ä¼é€ã‚’ç›®çš„ã¨ã—ãŸã€JSON ãƒ™ãƒ¼ã‚¹ã®å½¢å¼ã«ã¤ã„ã¦è¦å®šã—ãŸã‚ªãƒ¼ãƒ—ãƒ³æ¨™æº– (RFC 7519)ã§ã™ã€‚ JWT ã‚’è£œå®Œã™ã‚‹æ¨™æº–ã¨ã—ã¦ã€JSON Web Key (RFC 7
teppeis 2021/05/22
jwt

json
ãƒªãƒ³ã‚¯
2020å¹´ç‰ˆ ãƒãƒ¼ãƒ å†…å‹‰å¼·ä¼šè³‡æ–™ãã®1 : JSON Web Token - r-weblife
ãŠã¯ã‚ˆã†ã”ã–ã„ã¾ã™ã€‚ritou ã§ã™ã€‚ 5æœˆä¸‹æ—¬ãã‚‰ã„ã«ãƒãƒ¼ãƒ å†…å‹‰å¼·ä¼šã¨ã—ã¦JSON Web Token(JWT)ã«ã¤ã„ã¦ã‚ã„ã‚ã„ã‚„ã‚Šã¾ã—ãŸã€‚ ãã®éš›ã«ä½œæˆã—ãŸè³‡æ–™ã«ç°¡å˜ãªèª¬æ˜Žã‚’æ·»ãˆã¤ã¤ç´¹ä»‹ã—ã¾ã™ã€‚ ã“ã®ãƒ–ãƒã‚°ã§ã¯JWTã«ã¤ã„ã¦è‰²ã€…ã¨è¨˜äº‹ã‚’æ›¸ã„ã¦ãã¾ã—ãŸãŒã€ãã®ç¯„å›²ã‚’è¶…ãˆã‚‹ã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“ã€‚ ã¡ã‚‡ã£ã¨ã ã‘é•·ã„ã§ã™ãŒã€ã¡ã‚‡ã£ã¨ã ã‘ã§ã™ã€‚ãŠä»˜ãåˆã„ãã ã•ã„ã€‚ãã‚Œã§ã¯å§‹ã‚ã¾ã—ã‚‡ã†ã€‚ JSON Web Token boot camp 2020 ä»Šå›žã®å‹‰å¼·ä¼šã§ã¯ã€JWTã«ã¤ã„ã¦æ¦‚è¦ã€ä»•æ§˜ç´¹ä»‹ã¨ã„ã†åŸºæœ¬çš„ãªã¨ã“ã‚ã‹ã‚‰ã€æ¥å‹™ã§ä½¿ã£ã¦ã„ãã«ã‚ãŸã£ã¦æ°—ã‚’ã¤ã‘ã‚‹ã¹ãç‚¹ã¨ã„ã£ãŸã‚ãŸã‚Šã¾ã§ã‚«ãƒãƒ¼ã§ãã‚‹ã¨è‰¯ã„ãªã¨æ€ã£ã¦ã„ã¾ã™ã€‚ JSON Web Token æ¦‚è¦ ã¾ãšã¯æ¦‚è¦ã‹ã‚‰ç´¹ä»‹ã—ã¦ã„ãã¾ã™ã€‚ JSON Web Tokenã®å®šç¾©ã¨ã¯ã¨ã„ã†ã“ã¨ã§ã€RFC7519ã®Abstractã®æ–‡ç« ã‚’å¼•ç”¨ã—ã¾ã™ã€‚ JSON W
teppeis 2020/12/10
jwt

security
ãƒªãƒ³ã‚¯
GitHub - panva/jose: JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session. You switched accounts on another tab or window. Reload to refresh your session. Dismiss alert
teppeis 2020/12/01
crypto

jwt

javascript

node.js

browser

isomorphic
ãƒªãƒ³ã‚¯
Please Stop Using Local Storage - DEV Community ðŸ‘©â€ðŸ’»ðŸ‘¨â€ðŸ’»
Seriously. Just stop it already. I donâ€™t know what it is, exactly, that drives so many developers to store session information in local storage, but whatever the reason: the practice needs to die out. Things are getting completely out of hand. Almost every day I stumble across a new website storing sensitive user information in local storage and it bothers me to know that so many developers are op
teppeis 2020/04/04
security

localstorage

cookie

jwt
ãƒªãƒ³ã‚¯
JWTå½¢å¼ã‚’æŽ¡ç”¨ã—ãŸChatWorkã®ã‚¢ã‚¯ã‚»ã‚¹ãƒˆãƒ¼ã‚¯ãƒ³ã«ã¤ã„ã¦ - ChatWork Creator's Note
JWTã‚’ä½¿ã†ã“ã¨ã¯é›£ã—ã„ï¼Ÿ ã“ã‚“ã«ã¡ã¯ã€ã‹ã¨ã˜ã‚…ã‚“(@j5ik2o)ã§ã™ã€‚æœ€è¿‘ã€JWTã«é–¢ã™ã‚‹ä»¥ä¸‹ã®ãƒ–ãƒã‚°ãŒè©±é¡Œã§ã™*1ã€‚ ã©ã†ã—ã¦ãƒªã‚¹ã‚¯ã‚¢ã‚»ã‚¹ãƒ¡ãƒ³ãƒˆã›ãšã« JWT ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«ä½¿ã£ã¡ã‚ƒã†ã‚ã‘ï¼Ÿ - co3k.org ã“ã®ãƒ–ãƒã‚°ã§è¨€åŠã•ã‚Œã¦ã„ã‚‹ã®ã¯ã€JWTã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã®ä¿å˜å…ˆã«é¸ã¶ã“ã¨ã§ã€Œä½•ãŒå•é¡Œãªã®ï¼Ÿã€ã«æ›¸ã‹ã‚Œã¦ã„ã‚‹ãƒªã‚¹ã‚¯ãŒã‚ã‚‹ã‚ˆã€ã¨ã„ã†è©±*2ã€‚ç¢ºã‹ã«ã„ãã¤ã‹æ¤œè¨Žã™ã‚‹ã“ã¨ãŒã‚ã‚Šã¾ã™ãã€‚ auth0.hatena blog.com auth0ã®ä¸ã®äººï¼Ÿã‚ˆãã‚ã‹ã‚‰ãªã„ã‘ã©ã€åè«–çš„ãªãƒ–ãƒã‚°ã‚¨ãƒ³ãƒˆãƒªãŒå…¬é–‹ã•ã‚Œã¦ã„ã¾ã™ã€‚ã“ã®è¨˜äº‹ã§ã¯ã€æŒ‡æ‘˜ã®å•é¡ŒãŒèµ·ã“ã‚‰ãªã„ã‚ˆã†ã«è¨è¨ˆã™ã‚‹ã®ã¯ã‚ãŸã‚Šå‰ã§ã¯ï¼Ÿã¨ã„ã†æ„è¦‹ã¿ãŸã„ã§ã™ã€‚ã¾ãã”ã‚‚ã£ã¨ã‚‚ã§ã¯ãªã„ã§ã—ã‚‡ã†ã‹ã€‚ ç§ã‚‚æŠ€è¡“ãã®ã‚‚ã®ã¨ã„ã†ã‚ˆã‚Šã€è¦ä»¶ã«åˆã‚ã›ã¦æŠ€è¡“ã‚’çµ„ã¿åˆã‚ã›ã‚‹è¨è¨ˆã®å•é¡Œã ã¨æ€ã£ã¦ã„ã¾ã™ã€‚åŠ ãˆã¦ã€JWTã‚’åˆ©ç”¨ã™ã‚‹ã“ã¨ã¯ãã‚“ãªã«é›£ã—ã„ã“ã¨ã‹ã¨ã„ã†ç–‘å•ãŒã‚ã£ãŸ
teppeis 2018/09/26
chatwork

jwt

security
ãƒªãƒ³ã‚¯
JWTèªè¨¼ã€ä¾¿åˆ©ã‚„ã‚“ï¼Ÿ - ãƒ–ãƒã‚°
ã©ã†ã—ã¦ JWT ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«ä½¿ã£ã¡ã‚ƒã†ã‚ã‘ï¼Ÿ - co3k.orgã€€ã«å¯¾ã—ã¦æ€ã†ã“ã¨ã‚’æ›¸ãã€‚ (ã‚¹ãƒ†ãƒ¼ãƒˆãƒ¬ã‚¹ãª) JWT ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«ä½¿ã†ã“ã¨ã¯ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³ ID ã‚’ç”¨ã„ã‚‹ä¼çµ±çš„ãªã‚»ãƒƒã‚·ãƒ§ãƒ³æ©Ÿæ§‹ã«æ¯”ã¹ã¦ã€ã‚ã‚‰ã‚†ã‚‹ã‚»ã‚ãƒ¥ãƒªãƒ†ã‚£ä¸Šã®ãƒªã‚¹ã‚¯ã‚’è² ã†ã“ã¨ã«ãªã‚Šã¾ã™ã€‚ ã¨å¤§å£å©ã„ã¦ãŠã„ã¦ã€ãã‚Œã«ç¶šãç†ç”±ãŒã»ã¨ã‚“ã©ãŠç²—æœ«ãªé‹ç”¨ã«ã‚ˆã‚‹ã‚‚ã®ãªã®ã¯ã©ã†ãªã®ã‹ã€‚æœ€å¾Œã«ã€ ã§ã‚‚ãã“ã¾ã§ã—ã¦ã‚¹ãƒ†ãƒ¼ãƒˆãƒ¬ã‚¹ã« JWT ã‚’ä½¿ã‚ãªãã¦ã¯ã„ã‘ãªã„ã‹ï¼Ÿ ã¨ã¾ã§è¡Œã£ã¦ã„ã¾ã™ãŒã€JWTèªè¨¼ã®ãƒ¡ãƒªãƒƒãƒˆã¯ãã®å®Ÿè£…ã®ã‚·ãƒ³ãƒ—ãƒ«ã•ã¨ã‚¹ãƒ†ãƒ¼ãƒˆãƒ¬ã‚¹ãªã“ã¨ã«ã‚ã‚Šã¾ã™ã€‚ç¾å®Ÿçš„ã«ã¯å®Ÿéš›ã¯DBå‚ç…§ã¨ã‹å¿…è¦ã«ãªã£ãŸã‚Šã™ã‚‹ã‚“ã§ã™ãŒã€ã»ã¨ã‚“ã©æ”¹ã–ã‚“æ¤œè¨¼ã ã‘ã§æ¸ˆã‚€ã®ã¯é…åŠ›çš„ã§ã™ã€‚ãƒˆãƒ¬ãƒ¼ãƒ‰ã‚ªãƒ•ã§ãƒªã‚¢ãƒ«ã‚¿ã‚¤ãƒ ã§ãƒ¦ãƒ¼ã‚¶ãƒ¼ç„¡åŠ¹åŒ–ãŒã§ããªã„ã“ã¨ãã‚‰ã„ã§ã™ã‹ãã€‚ãƒ©ã‚¤ãƒ–ãƒ©ãƒªãªã‚“ã¦ä½¿ã†å¿…è¦ãªã„ã»ã©ã‚·ãƒ³ãƒ—ãƒ«ã ã—ã€ãƒˆãƒ¬ãƒ¼ãƒ‰ã‚ªãƒ•ã•ãˆè¨±å®¹ã§ãã‚Œã°ã‚€ã—ã‚ã€ãªãœã“ã‚Œä»¥ä¸Šã«è¤‡é›‘ãªèªè¨¼
teppeis 2018/09/26
ã€ŒXSSã®è„†å¼±æ€§ãŒã‚ã‚‹æ™‚ç‚¹ã§è«–å¤–ã€ã“ã“ã ã‘åŒæ„ã§ããªã„

jwt

security
ãƒªãƒ³ã‚¯
ã©ã†ã—ã¦ JWT ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«ä½¿ã£ã¡ã‚ƒã†ã‚ã‘ï¼Ÿ - co3k.org
å‚™è€ƒ 2018/09/21 22:15 è¿½è¨˜ 2018/09/20 12:10 ã«å…¬é–‹ã—ãŸã€Œã©ã†ã—ã¦ JWT ã‚’ã‚»ãƒƒã‚·ãƒ§ãƒ³ã«ä½¿ã£ã¡ã‚ƒã†ã‚ã‘ï¼Ÿã€ã¨ã„ã†ã‚¿ã‚¤ãƒˆãƒ«ãŒä¸é©åˆ‡ã ã¨ã”æŒ‡æ‘˜ã‚’ã„ãŸã ã„ã¦ã„ã¾ã™ã€‚ ãã®æ„è¦‹ã¯ã‚‚ã£ã¨ã‚‚ã ã¨æ€ã„ã¾ã™ã®ã§ã€ç¾åœ¨ã€é©åˆ‡ã¨ãªã‚‹ã‚ˆã†ã«ã‚¿ã‚¤ãƒˆãƒ«ã‚’èª¿æ•´ã—ã¦ã„ã¾ã™ã€‚ ã”è¿·æƒ‘ãŠã‚ˆã³ãŠé¨’ãŒã›ã‚’ã—ã¦å¤§å¤‰ç”³ã—è¨³ã”ã–ã„ã¾ã›ã‚“ã€‚ æœ¬æ–‡ã®è¡¨ç¾ã«ã¤ã„ã¦ã‚‚æ”¹å–„ã®ä½™åœ°ã¯å¤§ã„ã«ã‚ã‚Šãã†ã§ã™ãŒã€ã“ã¡ã‚‰ã¯ (ã™ã§ã«ã”æ„è¦‹ã‚’é ‚æˆ´ã—ã¦ã„ã‚‹é–¢ä¿‚ã§ã€) ä¸»å¼µãŒå¤‰ã‚ã£ã¦ã—ã¾ã‚ãªã„ã‚ˆã†ã«é…æ…®ã—ã¤ã¤æ…Žé‡ã«èª¿æ•´ã•ã›ã¦ã„ãŸã ãã‹ã‚‚ã—ã‚Œã¾ã›ã‚“ã€‚ ã¯ã‚ã‚ã‚ã€œã€œã€œã€œé ¼ã‚€ã‹ã‚‰ã“ã¡ã‚‰ã‚‚å¿™ã—ã„ã®ã§ã“ã‚“ãªã‚¨ãƒ³ãƒˆãƒªã‚’æ›¸ã‹ã›ãªã„ã§ã»ã—ã„ (æŒ¨æ‹¶)ã€‚ã‚‚ã—ãã¯åƒ•ã‚’æš‡ã«ã—ã¦ã“ã†ã„ã†ã‚¨ãƒ³ãƒˆãƒªã‚’æ›¸ã‹ã›ã‚‹ãŸã‚ã®ãƒ—ãƒã‚°ãƒ©ãƒžãƒ¼ã‚’å‹Ÿé›†ã—ã¦ã„ã¾ã™ (æŒ¨æ‹¶)ã€‚ JWT (JSON Web Token; RFC 7519) ã‚’å……åˆ†ãªãƒªã‚¹ã‚¯ã®è¦‹ç©ã‚‚ã‚Šã‚’ã›ãšã‚»ãƒƒã‚·
teppeis 2018/09/20
session

cookie

jwt
ãƒªãƒ³ã‚¯
SSR ã¨ CDN ( Fastly ) ã¨ãƒ¦ãƒ¼ã‚¶ãƒ¼ä¾å˜æƒ…å ±ã€ãã®å¾Œ
æ£å¼ãƒªãƒªãƒ¼ã‚¹ã«å‘ã‘ã¦ã®é–‹ç™ºã§è¡¨é¢åŒ–ã—ãŸä¸éƒ½åˆ ä»¥å‰ã€ã‚¢ãƒ¼ã‚ãƒ†ã‚¯ãƒãƒ£ç·¨: SSR ã¨ CDN ( Fastly ) ã¨ãƒ¦ãƒ¼ã‚¶ãƒ¼ä¾å˜æƒ…å ±ã®åˆ†é›¢ï¼ˆæ–°è¦é–‹ç™ºã®ãƒ¡ãƒ¢æ›¸ãã‚·ãƒªãƒ¼ã‚º4ï¼‰ã§ç´¹ä»‹ã—ãŸã‚ˆã†ã«ã€SSR ã§ç”Ÿæˆã—ãŸ HTML ã‚’ CDN ( Fastly ) ã§ã‚ãƒ£ãƒƒã‚·ãƒ¥ã§ãã‚‹ã‚ˆã†ã«ã€Œãƒ¦ãƒ¼ã‚¶ãƒ¼ä¾å˜æƒ…å ±ã¯ã‚¯ãƒ©ã‚¤ã‚¢ãƒ³ãƒˆã‚µã‚¤ãƒ‰ã§éžåŒæœŸã«å–ã‚Šæ‰±ã†ã¨ã„ã†ã‚¢ãƒ—ãƒãƒ¼ãƒã€ã‚’ã¨ã£ã¦ã„ã¾ã—ãŸã€‚ãã‚Œã«ã‚ˆã£ã¦ç™ºç”Ÿã—ã¦ã„ãŸä¸éƒ½åˆã¨è§£æ±ºã«é–¢ã™ã‚‹è¿½åŠ æƒ…å ±ã§ã™ã€‚ ãƒ¦ãƒ¼ã‚¶ãƒ¼ä¾å˜æƒ…å ±ãŒéžåŒæœŸã§ãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆã•ã‚Œã‚‹å•é¡Œ ãƒ¦ãƒ¼ã‚¶ãƒ¼ä¾å˜æƒ…å ±ãŒéžåŒæœŸã§è§£æ±ºã•ã‚Œã‚‹ã¨ã„ã†ã“ã¨ã¯ã€ãã®ã‚ˆã†ãªæƒ…å ±ã‚’æ‰±ã†ã‚³ãƒ³ãƒãƒ¼ãƒãƒ³ãƒˆã®çŸ©å½¢ã¯ Web ãƒšãƒ¼ã‚¸ãŒä¸€åº¦ãƒ¬ãƒ³ãƒ€ãƒªãƒ³ã‚°ã•ã‚ŒãŸã‚ã¨ã«ãƒ¬ã‚¤ã‚¢ã‚¦ãƒˆã•ã‚Œã¾ã™ã€‚ã¤ã¾ã‚Šã“ã®è¨˜äº‹ã§ã‚‚ç´¹ä»‹ã•ã‚ŒãŸã¨ã“ã‚ã®ã€Œã‚¬ã‚¿ãƒ³ãƒƒã€çš„ãªãƒ¦ãƒ¼ã‚¶ãƒ¼ä½“é¨“ãŒç”Ÿã˜ã¾ã™ã€‚ ãƒã‚°ã‚¤ãƒ³ã¨éžãƒã‚°ã‚¤ãƒ³ãŒã€å…¨ãåŒã˜ã‚µã‚¤ã‚ºã®çŸ©å½¢ã‚’ç¢ºä¿ã™ã‚‹ã‚ˆã†ãªãƒ“ã‚¸ãƒ¥ã‚¢ãƒ«ãƒ‡ã‚¶ã‚¤ãƒ³ã«ãªã£ã¦ã„
teppeis 2018/05/31
Fastlyã§JWTãªè©±

fastly

jwt
ãƒªãƒ³ã‚¯
Authorization@Edge â€“ How to Use Lambda@Edge and JSON Web Tokens to Enhance Web Application Security | Amazon Web Services
Networking & Content Delivery Authorization@Edge â€“ How to Use Lambda@Edge and JSON Web Tokens to Enhance Web Application Security by Alex Tomic and Cameron Worrell Authorization, the function of specifying access rights to resources is often required to help protect restricted content in web applications. This post will show you how to implement a serverless authorization of viewers using Amazon C
teppeis 2018/03/09
Fastlyã¨æ—¥çµŒã®äº‹ä¾‹ã«ã‚ã£ãŸprivateã‚³ãƒ³ãƒ†ãƒ³ãƒ„ã‚’CDNã§ã‚ãƒ£ãƒƒã‚·ãƒ¥ã™ã‚‹ä»¶ã‚’Lambda@Edgeã§å®Ÿç¾ã™ã‚‹è©±

cdn

cloudfront

aws

jwt
ãƒªãƒ³ã‚¯
Building Secure JavaScript Applications
Building Secure JavaScript Applications A few weeks back, I've attended SFNode, where Randall Degges gave a presentation on JWTs, mostly on why you avoid using them. The talk was amazing, and also reminded me of an article I wanted to write for a long time now - how one can build secure JavaScript applications. Here we go! In this article, I will go through the most frequently asked question about
teppeis 2018/01/19
jwt

security

auth

csrf

xss

atode
ãƒªãƒ³ã‚¯
Should you use JWT/JOSE?
teppeis 2017/03/17
jwt

security
ãƒªãƒ³ã‚¯
Stop using JWT for sessions - joepie91's Ramblings
Update - June 19, 2016: A lot of people have been suggesting the same "solutions" to the probl ems below, but none of them are practical. I've published a new post with a slightly sarcastic flowchart - please have a look at it before suggesting a solution. Unfortunately, lately I've seen more and more people recommending to use JWT (JSON Web Tokens) for managing user sessions in their web applicati
teppeis 2017/03/15
jwt

security
ãƒªãƒ³ã‚¯
JOSE (Javascript Object Signing and Encryption) is a Bad Standard That Everyone Should Avoid - Paragon Initiative Enterprises Blog
The latest information from the team that develops cryptographically secure PHP software. Is Your Cryptography Reliable? Our team specializes in studying real world cryptography implementations to assure their correctness and security. Why You Want to Hire Our Company Contact Us No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid March 14, 2017 7:18
teppeis 2017/03/15
ã‚¿ã‚¤ãƒˆãƒ«ãŒJWTã‹ã‚‰JOSEã«å¤‰æ›´ã•ã‚ŒãŸ

jwt

security
ãƒªãƒ³ã‚¯
MERY EC ã«ãŠã‘ã‚‹ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã¨ JWT - peroli Developer's Blog
2016 - 08 - 26 MERY EC ã«ãŠã‘ã‚‹ã‚»ãƒƒã‚·ãƒ§ãƒ³ç®¡ç†ã¨ JWT Back-End è¨è¨ˆ Ruby list Tweet ã“ã‚“ã«ã¡ã¯ã€‚ MERY ã®ã‚µãƒ¼ãƒãƒ¼ã‚µã‚¤ãƒ‰ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã® @saidie ã§ã™ã€‚ MERY ã§ã¯ã€å¥³ã®åãŒçŸ¥ã‚ŠãŸã„æœ€æ–°ã®æƒ…å ±ã‚„æ¬²ã—ããªã‚‹ãƒ•ã‚¡ãƒƒã‚·ãƒ§ãƒ³ã‚¢ã‚¤ãƒ†ãƒ ã‚’ã€è¨˜äº‹ã¨ã„ã†å½¢å¼ã‚’é€šã—ã¦æ¯Žæ—¥å±Šã‘ã¦ã„ã¾ã™ã€‚ ãã—ã¦ã€ã“ã“ä¸€å¹´å¼±ã®é–“ã€ãƒ¦ãƒ¼ã‚¶ãŒæ¬²ã—ã„ã¨æ€ã£ãŸã‚¢ã‚¤ãƒ†ãƒ ã‚’ãã®ã¾ã¾æ‰‹è»½ã« MERY ä¸Šã§è²·ã†ã“ã¨ã®ã§ãã‚‹ã€EC ã® ã‚·ã‚¹ãƒ†ãƒ é–‹ç™º ã‚’é€²ã‚ã¦ãã¾ã—ãŸã€‚ ã“ã®è¨˜äº‹ã§ã¯ã€MERY ã® EC ã‚·ã‚¹ãƒ†ãƒ ã‚’é–‹ç™ºã™ã‚‹ã«ã‚ãŸã£ã¦ã€æ—¢å˜ã® MERY ä¼šå“¡ã®ãƒã‚°ã‚¤ãƒ³ã‚»ãƒƒã‚·ãƒ§ãƒ³ã¨ EC ã«ãŠã„ã¦å¿…è¦ã¨ã•ã‚Œã‚‹æ–°ãŸãªã‚»ãƒƒã‚·ãƒ§ãƒ³ã«é–¢ã™ã‚‹è¨è¨ˆã®è£å´ã¨ã€ã‚»ãƒƒã‚·ãƒ§ãƒ³æƒ…å ±ã®ã‚„ã‚Šå–ã‚Šã« JWT ( JSON Web Token) ã‚’ä½¿ã†å–ã‚Šçµ„ã¿ã«ã¤ã„ã¦ã”ç´¹ä»‹ã—ãŸã„ã¨æ€ã„ã¾ã™ã€‚ MERY ã® EC ã‚»ãƒƒ
teppeis 2016/10/10
jwt

atode
ãƒªãƒ³ã‚¯
JSON Web Tokens vs. Session Cookies: In Practice
A relevant ad will be displayed here soon. These ads help pay for my hosting. Please consider disabling your ad blocker on Pony Foo. These ads help pay for my hosting. TL;DR Many modern web applications use JSON Web Tokens (JWT), rather than the traditional session-based authentication. Quite a few challenges have been found with using server-side sessions in modern-day applications. In this post,
teppeis 2016/09/10
JWTã‚’Webã‚¢ãƒ—ãƒªã§ä½¿ãŠã†ã£ã¦ã€HTMLã¯staticã§å…¨ã¦ã®é€šä¿¡ã¯Authãƒ˜ãƒƒãƒ€ä»˜ã‘ãŸXHRã«é™å®šã™ã‚‹SPAã‚’å‰æã«ã—ã¦ã‚‹ã®ã‹ãªï¼Ÿimgè¦ç´ ã¨ã‹ã©ã†ã™ã‚‹ã®ã‹ãª

jwt

cookie

auth

security
ãƒªãƒ³ã‚¯
REST Security With JWT Using Java and Spring Security | ToptalÂ®
Disclaimer: This article is under review. Some of the content may be outdated. Security Security is the enemy of convenience, and vice versa. This statement is true for any system, virtual or real, from the physical house entrance to web banking platforms. Engineers are constantly trying to find the right balance for the given use case, leaning to one side or the other. Usually, when a new threat
teppeis 2016/06/26
jwt

rest

auth
ãƒªãƒ³ã‚¯
1 2 æ¬¡ã®ãƒšãƒ¼ã‚¸