CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard
verified publisher icon OWASP

Update: JSON Web Token Cheat Sheet for Java

Open chalbersma opened this issue 2 years ago • 15 comments

What is missing or needs to be updated?

How difficult would it be to make this multi-language? JWT's have sort of become a web standard as an authentication/authorization primitive. It would be nice to have the common operations (parsing, validating, best practices etc...) spelled out in various languages (like python, nodejs etc...).

How should this be resolved?

Either the creation of a JSON Web Token Cheat Sheet for <Lang> or generalizing the Java cheat sheet. That might be something I could contribute to. But I'm not necessarily a JWT expert.

chalbersma avatar Jul 26 '23 15:07 chalbersma

I would love to see this made generic. As you said, JWTs are used in many languages.

szh avatar Jul 26 '23 16:07 szh

If you ignore the code examples, most of this CS is already generic, so are you (@chalbersma) wanting a CS that has examples with examples of other programming languages such as Python, NodeJS, etc.? That would be unwieldy if all crammed into a single CS, but probably doable if we want multiple ones per language. If that is done, then the contents of this CS should be refactored into a language-neutral one that once discusses JWT (both things to do and things to avoid) in a common JWT cheat sheet and this one for Java should be refactored to take advantage of the common one. Either that or just write all the examples in some suitable pseudo-code. I just don't think doing this correctly would be trivial. Sure, someone could copy the "JSON Web Token Cheat Sheet for Java" and only change the examples to (say) Python, but that doesn't scale well since if some common JWT advise needs to be revised (which seems inevitable in the long term), then it needs to get updated in multiple places.

So the bottom line here I think is to proceed with caution here and don't underestimate the effort involved.

Just my $.02.

kwwall avatar Jul 26 '23 17:07 kwwall

I think it makes more sense to just maintain a generic one, using Java or pseudo-code or whatever language. I don't think it's necessary or worthwhile to keep separate cheat sheets for different languages or to have multiple language code samples. I think the best path forward is to just generalize the existing CS and remove "for Java" from the name.

szh avatar Jul 26 '23 18:07 szh

Per @szh -

I think the best path forward is to just generalize the existing CS and remove "for Java" from the name.

I agree. I think removing the "for Java" will go a long way to set expectations. Doing that and just explaining at the beginning that Java was just selected as the language to illustrate examples might be all that is needed.

kwwall avatar Jul 27 '23 00:07 kwwall

Agreed +1

jmanico avatar Jul 27 '23 04:07 jmanico

Great, seems like we agree on a path forward. @chalbersma do you want to spearhead this effort and submit a PR for it?

szh avatar Jul 28 '23 02:07 szh

Oof, I was hoping that just suggesting it would make someone with more time take it over. Additionally part of the reason I was looking at the guide in the first place is that I'm not certain that I actually have the expertise to write the guide. In theory, I know what I'd want to see for generic examples (at least in Python). But it's likely that I would make some legitimate errors.

I'll see what I can come up with though.

chalbersma avatar Aug 02 '23 20:08 chalbersma

@chalbersma - I don't think what we are proposing requires a lot of technical depth, but just an investment on some of your time. One or 2 of us will review it so you don't need to be an expert in this specific case because I think the changes will be minor as per recommended in https://github.com/OWASP/CheatSheetSeries/issues/1176#issuecomment-1652753291.

kwwall avatar Aug 02 '23 23:08 kwwall

I think this is a really good idea, how can I help support this?

jmanico avatar Aug 07 '23 14:08 jmanico

@jmanico I got some Friday freetime and made a super rough draft. Would love some feedback (or even a pull request or two).

chalbersma avatar Aug 11 '23 21:08 chalbersma

I’m at defcon, give me a few days, please :)

jmanico avatar Aug 11 '23 22:08 jmanico

Love the way the multi-language code example looks. Pretty sweet. Didn't even know you could do that in Markdown.

kwwall avatar Aug 11 '23 23:08 kwwall

Love the way the multi-language code example looks. Pretty sweet. Didn't even know you could do that in Markdown.

Oh ya the pymdown extensions essentially give you most of the nice features from sphinx in markdown if you want them.

chalbersma avatar Aug 13 '23 06:08 chalbersma

Not 100% sure where this proposal is at, but, I noticed there is still a "Help Wanted" tag. If assistance is still needed, I could help. I have experience with JWT security and multiple programming languages.

EbonyAdder avatar Nov 23 '23 14:11 EbonyAdder

Not 100% sure where this proposal is at, but, I noticed there is still a "Help Wanted" tag. If assistance is still needed, I could help. I have experience with JWT security and multiple programming languages.

By all means, check out the draft and let us know what you think! Its listed above :)

jmanico avatar Nov 24 '23 16:11 jmanico