Developer Portals: authentication

It’s one of the great privileges of my career to be a part of the Developer Portal awards. Along with other jurors, I’ve had to judge about 20 portals in a couple of categories.

I think all of us on the juries also have full time jobs. So the time we have to judge these portals are limited.

The key to an excellent developer portal is to share something that a somewhat knowledgeable user can test in minutes.

There are a few apps where you can install the product and start testing in minutes. I’ll have more on that later.

I’ve had the good fortune to work in software authentication. I’ve written about software associated with various authentication protocols, from pluggable authentication models to OAuth 2.

So when I see a JWT token in a developer portal, I immediately wonder. Could I use it with a REST call? I copy/paste it into my CLI and am immediately disappointed.

If it worked, I know it suggests a security issue. For all practical purposes, even an expired JWT token is “personally identifying information.”

If you find one, copy it to a decoder like jwt.io. See what it tells you about the author. Ask yourself: do you want to share that information online?

For the purpose of this post, here’s a simplifed JWT token, which is the sanitized default shown at jwt.io. Copy it to the Encoded section of jwt.io and see what happens!

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

I’ve seen enough of these tokens to know that they start with ey.