By replacing cookies and access tokens with short-lived, encrypted JWT tokens, Yahoo aims to reduce vulnerabilities such as internal cookie exposure, replay attacks, and server-side request forgery. The session will provide a comprehensive overview of the end-to-end solution, use cases, and the lessons learned during the adoption journey. We will cover the following key areas:
1. The problem: An overview of Yahoo's current authorization model, and the security gaps identified.
The solution — What are Transaction Tokens?: Definition, structure, and comparison with existing authorization methods.
2. The solution — How Transaction Tokens Work: Detailed explanation of the end-to-end solution, including the process of obtaining and verifying transaction tokens.
3. The solution — Use Cases and benefits: Practical applications in different services, highlighting the reduction of security risks.
4. Implementation and integration: Steps for integrating transaction tokens, including the development of validation libraries and transition plans.
5. Challenges and solutions: Addressing potential challenges, and strategies for a smooth rollout.