Everything you wanted to know about working with and testing JWTs and JWKs but were afraid to ask.
If you’ve worked with APIs in the cloud in particular, you’ve quite likely heard of JWTs (JSON Web Tokens). If you haven’t this will be a great opportunity to get up to speed with these ubiquitous authentication & authorization credentials, as well as their counterpart, JWKs (JSON Web Keys) and how we can create, test, validate, and more importantly perform automated penetration tests against REST, Graph, and GraphQL endpoints that consume JWTs for authentication and authorization all from PowerShell!
1. What JWTs are.
2. What JWKs are.
3. Common usage patterns of JWTs and JWKs.
4. Introducing the PSJsonWebToken module; a fully realized STS (security token service) written in PowerShell core that runs on Windows, MacOS, and Linux!
5. How to create a JWTs using New-JsonWebToken.
6. How to create a JWKs and JWK sets using New-JsonWebKey and New-JsonWebKeySet.
7. Don’t like pre-packaged advanced functions like New-JsonWebToken? Want to roll your own? No problem with New-JwtSignature and some basic PowerShell!
8. How to package and send JWTs via Invoke-RestMethod for REST endpoints and Invoke-GraphQLQuery for GraphQL endpoints.
9. How to validate a JWT (that a developer told you should be working but is not) via Test-JsonWebToken.
10. Common misconceptions about JWTs and JWKs.
11. Best practices for JWTs.
12. Penetration testing (hacking!!) JWT endpoints and creating automated security testing with PowerShell, Pester, and PSJsonWebToken!
Hope to see you there!
Tony Guimelli CISSP, CCSP