Split Token Flow: A solution to the security problem of the JWT

OAuth2, OIDC, and their foundation, the JWT, has been an industry standard for many years, with no sign of slowing down. On the contrary, the OAuth RFC continues to be iteratively improved, aligning with FHIR and Open Banking principles.

All that to say, we should expect the OAuth flow to continue to reign supreme.

There are two types of access tokens in the OAuth flow, opaque and JWT (JWS more precisely). The problem with the JWT is the inherent leakiness. There is a massive debate amongst the community…


Let’s say you fork a public open source repo to your laptop, then decide you’re ready to publish it to your own repository.

So if I clone a public repo:

➜ git clone https://github.com/sedkis/auth-plugin
clone complete
➜ git remote -v
origin git@github.com:sedkis/auth-plugin.git (fetch)
origin git@github.com:sedkis/auth-plugin.git (push)

It’s pointing at the old repo. If I’m ready to publish this repo to another host, then first I create my new repo on GitHub (or wherever), then change git origin to it and push:

➜ git remote rm origin
➜ git remote add origin git@github.com:new-origin/auth-plugin.git
➜ git remote -v
origin git@github.com:your-repo/auth-plugin.git (fetch)
origin git@github.com:your-repo/auth-plugin.git (push)
➜ git push

Viola! published code to my own repo.


Having a really efficient CMD line is awesome. It can save you a lot of time. It’s good to take the time to set up a terminal that is intuitive and customized to you and your workflow.

With the right software, you can do things like autocomplete your GIT commands, Docker commands and more. This alone is worth it. But also, you get DARK MODE!

Must Haves

  1. iTerm2 — Replace and make this your default Terminal NOW. check out all the FEATURES!
  2. Oh My Zsh — Steroids for your terminal. …

Here’s an easy way to keep your Docker secrets in your version control, without having to create multiple Dockerfiles for each environment.

Before you continue, I assume you have a decent understanding of:

  1. Docker (compose)
  2. Java

We’ll create a Dockerfile with a generic secret name, and then we can map an environment specific secret to the generic secret name our Docker container is expecting.

First let’s go ahead and create the docker secrets in our environment:

➜  echo "devpwd" | docker secret create my-secret-DEV -
kgilm...
➜ echo "prdpwd" | docker secret create my-secret-PRD -
w8fbl...
➜ docker secret ls
ID…

Sedky Abou-Shamalah

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store