Just because something is permissible does not mean it's appropriate.
#JWT #MilitaryEthics
7
1
1
0
Hashtag
#jwt
Advertisement Β· 728 Γ 90
upd to the current api project I added a frontend of... asp net mvc app! (first time this kind π
)
discovered http handlers, essential to add jwt token to requests, and sometimes call refresh auth
also had to double the auth in frontend as a cookie
#buildinpublic #backend #dotnet #webdev #jwt
2
1
0
0
Nobody teaches you this in tutorialsβ¦ π
JWT Authentication β the secret behind every βStay Logged Inβ button.
6 steps. 2 phases. Zero confusion.
Phase 1: Token is created on login.
Phase 2: Token is verified on every request.
Follow Zerlix for more tech explained simply π₯
#Zerlix #JWT
1
0
0
0
Working with verifiable credentials? DCQL helps you request the exact data you need using clean JSON queries. Supports W3C VC, SD JWT, selective disclosure, complex claim paths and more.
docs.affinidi.com/open-source-...
github.com/affinidi/aff...
#DCQL #VerifiableCredentials #W3C #JWT
0
1
0
0
1
0
0
0
Secure your Minimal APIs with JWT! π
Stateless β’ Scalable β’ Token-based auth
Client β credentials β JWT β protected endpoints
Why JWT rules modern .NET APIs: no sessions needed!
#dotnet #aspnetcore #csharp #JWT #MinimalApis www.ottorinobruni.com/how-to-imple...
0
0
0
0
Pattern card: The 'Trust Me' JWT Parser (Security). Stats: Latency 0/100, Pain N/A, Maintain N/A, Resume N/A. Quote: "Why pull in a heavy dependency like 'jjwt' or 'jose'? Parsing a JWT is just splitting a string by dots and decoding Base64. Easy!". Special ability: Role Elevation by Notepad - An attacker changes 'role: user' to 'role: admin' in the Base64 payload. The backend accepts it without checking the signature.
Analysis The result of βNot Invented Hereβ syndrome applied to cryptography. The developer understood that a JWT contains data, but missed the part where the signature ensures integrity. The Reality: Your authentication logic essentially trusts whatever the client sends. You are not verifying the certificate or the HMAC secret. A script kiddie can simply paste your token into jwt.io, change the user ID to 1 (or the role to admin), and your backend happily executes the request. You have built a VIP entrance for hackers.
π¨ WoB Pattern: The 'Trust Me' JWT Parser
One of my favorites, since we saw it in the wild.
"Why pull in a heavy dependency like 'jjwt' or 'jose'? Parsing a JWT is just splitting a string by dots and decoding Base64. Easy!"
worstofbreed.net/patterns/tru...
#worstofbreed #Security #JWT #TechHumor
0
1
0
0
service method that creates a jwt token. no jwt/identity specific types in input or output (thats my viewmodel). claims in the token include not only obvious user properties but also Sub(ject), user id - I didn't use it before - and Jti, token id. token's time properties, validity start and expiry, are saved in utc (earlier inexperienced me used local time, dont do that)
program.cs part where jwt authentication is added. key is generated dynamically!!)) from 256 crypto random bytes (earlier I used 2 guids squished together to make 32 bytes, but that's not enough entropy). of course default scheme is set to jwt, don't forget to set challenge scheme too! or else unauthorized requests will be redirected to a /login action, even if it doesn't exist, and in total weirdly result in 405 instead of 401! next i'm validaiting not only key and lifetime, but issuer and audience too. and discovered such thing as clock skew! extra lifetime for tokens can you imagine! by default its 5 minutes - so i was setting 15 mins of lifetime to my tokens but actually they were made valid for 20! so i zeroed it of course
program.cs part where authorization for swagger is defined. basically an Authorize button appears in swagger UI that opens a slot where you insert a token, and then this token is added to your requests. (thats completely new to me! made this thingy for the first time! earlier when tokens came into view, for using an API I had to to switch from swagger to postman :'>) here I configured a basic pair of security definition and security requirement. as you can see, its specified that the protocol used is HTTP, auth schema is Bearer, more detailedly the Bearer format is JWT and token should be situated in the request header. and apparently to join this security definition + requirement pair, the definition name should be the same as the reference ID in the security scheme, in this case JwtBearerDefinition
example of how swagger auth works. in this slot I paste the token and in my requests an Authorization header with Bearer scheme and this token gets added. which you can see in the background, as well as a successful response from an action that needs authorization
yesterday added JWT authentication in a practice API
clearly improved in making JWT this time:
β
token expiry in UTC
β
generating key from 256 random bytes
β
validating audience not just issuer
β
using Sub claim (=user ID)
β
made an auth slot in swagger!
#dotnet #dev #jwt #backend #buildinpublic
1
1
0
1
If menopausal symptoms are kicking your tail, this revolutionary Japanese Walking Method may just be what you need to reverse the effects of the symptoms. femmefitalefitclub.com/revolutioniz... #japanesewalkingmethod #JWT #walking #walkingmethod #menopausefitness
0
0
0
0
Biggest takeaway today?
Every tool exists to solve a specific problem. Once you understand the PROBLEM, the tool makes total sense. π‘
Still a beginner but connecting the dots every single day! πͺ
#BackendDevelopment #NodeJS #ExpressJS #JWT #MongoDB #100DaysOfCode #WebDevelopment #LearningInPublic
4
0
0
0
π Today I spent time diving deep into Backend Development and honestly my mind is blown.
Here's everything I learned in one post π
#BackendDevelopment #NodeJS #ExpressJS #JWT #MongoDB #100DaysOfCode #WebDevelopment #LearningInPublic
4
0
2
0
π¨ CRITICAL flaw in pac4j-jwt (v4.0/5.0/6.0): Attackers can bypass authentication using forged JWTs if they have your RSA public key. Upgrade to 4.5.9/5.7.9/6.3.3+ ASAP! radar.offseq.com/threat/cve-2026-29000-cw... #OffSeq #JWT #AppSec
0
0
0
0
The livestream starts NOW! π΄ Security you canβt prove isnβt security, itβs hope.
Stop relying on manual checks. Weβre showing you how to automate your security testing to ensure your API only accepts your trusted tokens.
π Join us now: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
1
1
0
0
Join our livestream in 1 HOUR! π£ JWTs are the industry standard, but are they right for your specific architecture?
Weβre breaking down the strategic trade-offs between JWTs vs. Opaque Tokens.
Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
1
0
0
0
Tomorrow! Join our livestream on March 3rd.
Stop relying on manual checks. Weβre showing you how to automate your security testing to ensure your API only accepts your trusted tokens.
π March 3rd. Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
1
2
0
0
JWTs are the industry standard, but are they right for your specific architecture?
Weβre breaking down the strategic trade-offs between JWTs vs. Opaque Tokens.
π March 3rd. Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
1
0
0
0
π Learned real JWT auth flow today:
β’ Access Token β stored in memory
β’ Refresh Token β stored in HTTP-Only cookie π
β’ Avoid localStorage for JWT (XSS risk)
β’ Use Bearer headers to access protected APIs
β’ Refresh token auto-generates new access token when expired
#NodeJS #JWT #BackendDev
0
0
0
0
I'm very happy with the current version of #EzAuth. Authentication should be quick and easy to setup in #Golang Very close to v1.0.0 #buildinpublic #auth #jwt #oauth2
github.com/josuebrunel/...
1
1
0
0
Ich glaube, meine Webdeveloper-Zeiten sind wirklich vorbei. Und ich bin vielleicht mehr Astronomie-Nerd als ich dachte. Jedenfalls habe ich gerade anstatt
#JWT Token not found
folgendes gelesen:
#JWST Token not found
π€ͺ
0
0
0
0
Security you canβt prove isnβt security, itβs hope.
Stop relying on manual checks. Weβre showing you how to automate your security testing to ensure your API only accepts your trusted tokens.
π March 3rd. Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
3
0
0
0
Day 56 of #100DaysOfcode
- work on polishing my resume a bit.
- work on creating project that i use daily to track my progress and tasks
- brushing up my fundamentals of jwt
#LearnInPublic #jobhunt #jwt
1
0
0
0
JWTs are the industry standard, but are they right for your specific architecture?
Weβre breaking down the strategic trade-offs between JWTs vs. Opaque Tokens.
π March 3rd. Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
1
1
0
0
Implement #JWT authentication in #ASPNETCore securely! Learn step-by-step to safeguard your APIs by following this detailed guide. Enhance your app's security and manage user access effectively. Check it out for robust solutions!
0
0
0
0
JWTs are the industry standard, but are they right for your specific architecture?
Weβre breaking down the strategic trade-offs between JWTs vs. Opaque Tokens.
π March 3rd. Be there: duende.link/lsjwt26b
#OAuth2 #JWT #DotNet
0
0
0
0
Learn why JSON Web Tokens (JWT) are vital for modern web development! Enhance security, scalability, and efficiency of authentication processes. #WebDevelopment #JWT
0
0
0
0
#Keycloak CVE-2026-1529: "lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access."
access.redhat.com ->
#JWT
Original->
0
0
1
0
Should you blindly trust JWTs for accessing APIs? π
Youβve got OAuth 2.0 and JWTs, but a single misconfiguration in your library can leave you wide open. Join Wesley to see why "standard" validation isn't always enough.
π Be there on March 3rd: duende.link/lsjwt26
#OAuth2 #DotNet #JWT
0
0
0
0
