Development PracticesDevelopment Practices
Byte size15min
INTERMEDIATE

Stop Using JSON Web Tokens (JWTs) for Authorization!

JWTs (JSON Web Tokens) are everywhere—frontends, backends, microservices—and for good reason: they're easy to pass around, self-contained, and standardized. But while JWTs can be a solid fit for authentication, using them for authorization is a decision that comes with serious pitfalls—especially in distributed systems.

In this lightning talk, we’ll explore the technical and security limitations of JWT-based authorization and explain why they're fundamentally incompatible with the needs of modern applications. From the infamous "New Enemy Problem" described in Google’s Zanzibar paper to the vague semantics of scope claims and the difficulty of revoking tokens in-flight, we’ll unpack the real-world consequences of treating JWTs as your AuthZ layer.

Sohan Maheshwar
Sohan MaheshwarAuthZed

talkDetail.whenAndWhere

Thursday, April 2, 16:10-16:25
Zaal 10
talks.roomOccupancytalks.noOccupancyInfo
talks.description
JWTs (JSON Web Tokens) are everywhere—frontends, backends, microservices—and for good reason: they're easy to pass around, self-contained, and standardized. But while JWTs can be a solid fit for authentication, using them for authorization is a decision that comes with serious pitfalls—especially in distributed systems.

In this lightning talk, we’ll explore the technical and security limitations of JWT-based authorization and explain why they're fundamentally incompatible with the needs of modern applications. From the infamous "New Enemy Problem" described in Google’s Zanzibar paper to the vague semantics of scope claims and the difficulty of revoking tokens in-flight, we’ll unpack the real-world consequences of treating JWTs as your AuthZ layer.
authorization
jwt
limitations
security
talks.speakers
Sohan Maheshwar

Sohan Maheshwar

AuthZed

Netherlands

Sohan is a Lead Developer Advocate at AuthZed, based in the Netherlands. He started his career as a developer building mobile apps and has been living in the cloud since 2013, in companies such as Amazon, Fermyon and Gupshup. He is also an O' Reilly author, having created a course on Cloud Concepts for Everyone.

He has always been interested in emerging technologies and how it shapes the world around us.

talkDetail.rateThisTalk

talkDetail.poortalkDetail.excellent

talkDetail.ratingNotYetAvailable

talkDetail.ratingAvailableWhenStarted

talkDetail.signInRequired

talkDetail.signInToRateDescription

occupancy.title

occupancy.votingNotYetAvailable

occupancy.votingAvailableBeforeStart

talkDetail.signInRequired

occupancy.signInToVoteDescription

comments.title

comments.speakerNotEnabledComments