Kushal Das :python: :tor:<p>In <a href="https://toots.dgplug.org/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> / <a href="https://toots.dgplug.org/tags/rustlang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rustlang</span></a> I have a <a href="https://toots.dgplug.org/tags/HTTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>HTTP</span></a> endpoint (<a href="https://toots.dgplug.org/tags/actix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>actix</span></a>) , where for a given query, it fetches <a href="https://toots.dgplug.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> from the given parameter (URLS) and validates, puts some logic and returns the result. How to write unittest for this care in rust?</p>
eupolicy.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
This Mastodon server is a friendly and respectful discussion space for people working in areas related to EU policy. When you request to create an account, please tell us something about you.
Administered by:
Server stats:
209active users
eupolicy.social: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.1
#jwt
1 post · 1 participant · 1 post today
𝕂𝚞𝚋𝚒𝚔ℙ𝚒𝚡𝚎𝚕<p>JWTs Are Not Session Tokens , Stop Using Them Like One</p><p>When JSON Web Tokens (JWTs) hit the mainstream, they were hailed as the solution to everything wrong with session management. Stateless! Compact! Tamper-proof! Suddenly, everyone started stuffing them into every web app like ketchup on bad code.</p><p>🧑💻 <a href="https://archive.fo/01UkP" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">archive.fo/01UkP</span><span class="invisible"></span></a></p><p><a href="https://chaos.social/tags/json" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>json</span></a> <a href="https://chaos.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://chaos.social/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webdev</span></a> <a href="https://chaos.social/tags/token" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>token</span></a> <a href="https://chaos.social/tags/web" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>web</span></a> <a href="https://chaos.social/tags/code" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>code</span></a> <a href="https://chaos.social/tags/bad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bad</span></a> <a href="https://chaos.social/tags/badcode" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>badcode</span></a> <a href="https://chaos.social/tags/WebTokens" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WebTokens</span></a> <a href="https://chaos.social/tags/ketchup" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ketchup</span></a></p>
Kushal Das :python: :tor:<p>Slowly moving the brain to play <a href="https://toots.dgplug.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> <a href="https://toots.dgplug.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> in the background. Next few weeks will be into the land of JWTs via both <a href="https://toots.dgplug.org/tags/rust" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rust</span></a> and <a href="https://toots.dgplug.org/tags/python" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>python</span></a>.</p>
Jobs for Developers<p>SoundHound is hiring Senior Software Engineer</p><p>🔧 <a href="https://mastodon.world/tags/java" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>java</span></a> <a href="https://mastodon.world/tags/javascript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>javascript</span></a> <a href="https://mastodon.world/tags/typescript" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>typescript</span></a> <a href="https://mastodon.world/tags/react" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>react</span></a> <a href="https://mastodon.world/tags/springframework" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>springframework</span></a> <a href="https://mastodon.world/tags/api" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>api</span></a> <a href="https://mastodon.world/tags/hibernate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hibernate</span></a> <a href="https://mastodon.world/tags/aws" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aws</span></a> <a href="https://mastodon.world/tags/azure" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>azure</span></a> <a href="https://mastodon.world/tags/cicd" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cicd</span></a> <a href="https://mastodon.world/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>docker</span></a> <a href="https://mastodon.world/tags/gcp" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>gcp</span></a> <a href="https://mastodon.world/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://mastodon.world/tags/kafka" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kafka</span></a> <a href="https://mastodon.world/tags/kubernetes" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>kubernetes</span></a> <a href="https://mastodon.world/tags/mysql" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mysql</span></a> <a href="https://mastodon.world/tags/redis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>redis</span></a> <a href="https://mastodon.world/tags/seniorengineer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>seniorengineer</span></a><br>🌎 Bengaluru, India<br>⏰ Full-time<br>🏢 SoundHound</p><p>Job details <a href="https://jobsfordevelopers.com/jobs/senior-software-engineer-at-soundhound-com-jun-9-2025-bb0adc?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">jobsfordevelopers.com/jobs/sen</span><span class="invisible">ior-software-engineer-at-soundhound-com-jun-9-2025-bb0adc?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting</span></a><br><a href="https://mastodon.world/tags/jobalert" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jobalert</span></a> <a href="https://mastodon.world/tags/jobsearch" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jobsearch</span></a> <a href="https://mastodon.world/tags/hiring" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>hiring</span></a></p>
Sam Stepanyan :verified: 🐘<p><a href="https://infosec.exchange/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a>: 'Attacking JWT using X509 Certificates': how an attacker could sign the JWT token with their own private key and modify the header value to specify their public key for signature verification:<br><a href="https://infosec.exchange/tags/AppSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AppSec</span></a><br><a href="https://infosec.exchange/tags/APIsecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>APIsecurity</span></a></p><p><a href="https://trustedsec.com/blog/attacking-jwt-using-x509-certificates" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">trustedsec.com/blog/attacking-</span><span class="invisible">jwt-using-x509-certificates</span></a></p>
|7eter l-|. l3oling 🧰<p>:ruby: Let's support kids.</p><p>By "kids", I of course mean support for Key IDs (kids) in JWT assertions (IETF rfc7515 JSON Web Signature - JWS compliant)</p><p>Of course, I also mean <a href="https://ruby.social/tags/FreePalestine" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FreePalestine</span></a>, and <a href="https://ruby.social/tags/SayNoToGenocide" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SayNoToGenocide</span></a></p><p>For a full writeup:</p><p><a href="https://dev.to/galtzo/ann-oauth2-v2012-w-support-for-kids-57be" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">dev.to/galtzo/ann-oauth2-v2012</span><span class="invisible">-w-support-for-kids-57be</span></a></p><p><a href="https://ruby.social/tags/Ruby" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Ruby</span></a> <a href="https://ruby.social/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> <a href="https://ruby.social/tags/Oauth2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Oauth2</span></a></p>
Markus Eisele<p>The Curious Case of the Tampered Token <br><a href="https://myfear.substack.com/p/jwt-quarkus-murder-mystery" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">myfear.substack.com/p/jwt-quar</span><span class="invisible">kus-murder-mystery</span></a><br><a href="https://mastodon.online/tags/Java" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Java</span></a> <a href="https://mastodon.online/tags/Quarkus" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Quarkus</span></a> <a href="https://mastodon.online/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> <a href="https://mastodon.online/tags/Security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Security</span></a> <a href="https://mastodon.online/tags/Microprofile" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Microprofile</span></a></p>
Felix Palmen :freebsd: :c64:<p>Good morning! ☕ </p><p>Now that I can't find any other bugs in <a href="https://mastodon.bsd.cafe/tags/swad" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>swad</span></a> any more, I'm thinking again about how I could improve it.</p><p>Would anyone consider deploying it on a busy site right now? Either as a replacement for <a href="https://mastodon.bsd.cafe/tags/Anubis" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Anubis</span></a> (proof-of-work against bots), or for simple non-federated <a href="https://mastodon.bsd.cafe/tags/authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authentication</span></a>, or maybe even both?</p><p>I'm currently not sure how well it would scale. The reason is the design with server-side sessions, which is simple and very light-weight "on the wire", but needs server-side RAM for each and every client. It's hard to guess how this would turn out on very busy sites.</p><p>So, I'm thinking about moving to a stateless design. The obvious technical choice for that would be to issue a signed <a href="https://mastodon.bsd.cafe/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> (Json Web Token), just like Anubis does it as well. This would have a few consequences though:</p><p>* OpenSSL/LibreSSL would be a hard build dependency. Right now, it's only needed if the proof-of-work checker and/or TLS support is enabled.<br>* You'd need an X509 certificate in any case to operate swad, even without TLS, just for signing the JWTs.<br>* My current CSRF-protection would stop working (it's based on random tokens stored in the session). Probably not THAT bad, the login itself doesn't need it at all, and once logged in, the only action swad supports is logout, which then COULD be spoofed, but that's more an annoyance than a security threat... 🤔<br>* I would *still* need some server-side RAM for each and every client to implement the rate-limits for failed logins. At least, that's not as much RAM as currently.</p><p>Any thoughts? Should I work on going (almost) "stateless"?</p>
damienbod<p>New Microsoft docs: Configure JWT bearer authentication in ASP.NET Core</p><p><a href="https://learn.microsoft.com/aspnet/core/security/authentication/configure-jwt-bearer-authentication" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">learn.microsoft.com/aspnet/cor</span><span class="invisible">e/security/authentication/configure-jwt-bearer-authentication</span></a></p><p><a href="https://mastodon.social/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://mastodon.social/tags/aspnetcore" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>aspnetcore</span></a> <a href="https://mastodon.social/tags/dotnet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dotnet</span></a> <a href="https://mastodon.social/tags/oidc" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>oidc</span></a> <a href="https://mastodon.social/tags/bearer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>bearer</span></a> <a href="https://mastodon.social/tags/authorization" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>authorization</span></a> <a href="https://mastodon.social/tags/access" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>access</span></a> <a href="https://mastodon.social/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a></p><p>Thanks Mike Kistler Rick Anderson Stephen Halter</p>
d0rk ✅<p>Never saw that before (until now) and I thought it was a somewhat funny oxymoron:</p><p>A <a href="https://mastodon.social/tags/nonce" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nonce</span></a> claim in a <a href="https://mastodon.social/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a></p><p><a href="https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-claims#public-claims" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">auth0.com/docs/secure/tokens/j</span><span class="invisible">son-web-tokens/json-web-token-claims#public-claims</span></a></p>
ONLYOFFICE<p>Good news for <a href="https://fosstodon.org/tags/Alfresco" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Alfresco</span></a> users!</p><p>The newest release of the <a href="https://fosstodon.org/tags/ONLYOFFICE" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ONLYOFFICE</span></a> connector for Alfresco introduces powerful features to work with <a href="https://fosstodon.org/tags/PDF" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PDF</span></a> files and create interactive fillable forms in PDF format: </p><p>✅ PDF editing and collaboration</p><p>✅ PDF form creation</p><p>✅ Default empty file templates</p><p>✅ Default <a href="https://fosstodon.org/tags/JWT" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>JWT</span></a> token lifetime configuration </p><p>✅ Updated demo server address and more</p><p>Read our blog to learn more about this release: <a href="https://www.onlyoffice.com/blog/2025/01/onlyoffice-connector-for-alfresco-v8-0?utm_source=social&utm_medium=post&utm_campaign=fosstodon" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">onlyoffice.com/blog/2025/01/on</span><span class="invisible">lyoffice-connector-for-alfresco-v8-0?utm_source=social&utm_medium=post&utm_campaign=fosstodon</span></a></p>
Neil Madden<p>Updated my Internet-Draft that deprecates <a href="https://infosec.exchange/tags/jose" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jose</span></a> <a href="https://infosec.exchange/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> “none” and “RSA1_5” algorithms. Added some guidelines for reviewers to ensure future algorithm registrations all have consistent (baseline) security goals.</p><p><a href="https://neilmadden.github.io/jose-deprecate-none-rsa1_5/draft-madden-jose-deprecate-none-rsa15.html#name-updated-review-instructions" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">neilmadden.github.io/jose-depr</span><span class="invisible">ecate-none-rsa1_5/draft-madden-jose-deprecate-none-rsa15.html#name-updated-review-instructions</span></a></p>
gemma lynn<p>today was my last day at <span class="h-card"><a href="https://fedi.wondernetwork.com/@wonderproxy" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>wonderproxy</span></a></span>. last day working with <span class="h-card"><a href="https://phpc.social/@preinheimer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>preinheimer</span></a></span> and <span class="h-card"><a href="https://glammr.us/@schmalliso" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>schmalliso</span></a></span> and <span class="h-card"><a href="https://mas.to/@tdriley" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>tdriley</span></a></span> and will (and puck, the new me!).</p><p>it's been a pretty solid decade, folks. i have some FEELS. i learned <a href="https://bsd.network/tags/golang" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>golang</span></a>, <a href="https://bsd.network/tags/reactjs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>reactjs</span></a>, <a href="https://bsd.network/tags/nodejs" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>nodejs</span></a>, <a href="https://bsd.network/tags/selenium" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>selenium</span></a>, <a href="https://bsd.network/tags/playwright" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>playwright</span></a>, <a href="https://bsd.network/tags/puppet" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>puppet</span></a>, <a href="https://bsd.network/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>docker</span></a>, <a href="https://bsd.network/tags/mongodb" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>mongodb</span></a>, and how and why not to use <a href="https://bsd.network/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a>'s. i keynoted <a href="https://bsd.network/tags/phptek" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>phptek</span></a>, staffed a vendor booth at <a href="https://bsd.network/tags/saucecon" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>saucecon</span></a>, and contributed (a very little bit) to my favorite <a href="https://bsd.network/tags/php" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>php</span></a> framework.</p><p>there is nothing in my adult life that has had as much of an impact on my career as the folks at wonderproxy. thanks for being awesome, wonderpeople. it's been a privilege working with you.</p>
Neil Madden<p>Coming soon. Too late to submit the I-D now due to pending IETF meeting, but will submit it when the datatracker re-opens.</p><p>Deprecating alg:none and RSA PKCS#1 v1.5 encryption. </p><p><a href="https://neilmadden.github.io/jose-deprecate-none-rsa1_5/draft-madden-jose-deprecate-none-rsa15.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">neilmadden.github.io/jose-depr</span><span class="invisible">ecate-none-rsa1_5/draft-madden-jose-deprecate-none-rsa15.html</span></a></p><p><a href="https://infosec.exchange/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://infosec.exchange/tags/jose" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jose</span></a> <a href="https://infosec.exchange/tags/cryptography" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cryptography</span></a></p>
Thomas Broyer<p>And another one published simultaneously: Why are JWT?</p><p>about why you don't actually want to add them to your application, and certainly not as a kind of session token</p><p><a href="https://blog.ltgt.net/jwt/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">blog.ltgt.net/jwt/</span><span class="invisible"></span></a></p><p><a href="https://piaille.fr/tags/jwt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>jwt</span></a> <a href="https://piaille.fr/tags/security" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>security</span></a> <a href="https://piaille.fr/tags/webdev" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>webdev</span></a></p>
TrendingLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload