JWT Usage Debate
The cluster centers on debates about the suitability of JSON Web Tokens (JWT) for authentication and sessions, highlighting security pitfalls, footguns, and alternatives while referencing critical articles.
Activity Over Time
Top Contributors
Keywords
Sample Comments
Why avoid JWT? Has there been some new development regarding it that makes it unsuitable for auth? I just started using it in a new app...
I stand corrected. JWTs seem perfect for their purpose.
You're missing that JWT were a bad idea in the first place.Oldish but still largely relevant: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...
Yes, I'm the author. Long as the JWT spec implements a strong method of encryption , it's a good option.
Can you expand on JWT thing? Why should it be avoided?
It's generally a good idea to avoid JWT. There are a lot of foot-guns in JWT, and many implementations have gotten it wrong in the past. This[1] is a good summary on the topic.[1]: https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...
I don't see how this solution means you cannot use JWTs.
The "problem" is that JWTs are just a container format. There's nothing saying they even have to be signed, though they're designed to be more easily signed or encryptable. I've implemented the ridiculous SAML enveloped encryption/signature standard and canonicalization, and honestly, the simplicity of JWT while still providing for resilient security is a fine reason for its popularity when compared to some of the alternatives for federated id/authentication.<p
JWT is for when you really really need to re-invent certificates.
Why use JWT? https://www.educative.io/edpresso/why-should-you-use-jwtsThere are downsides for almost everything out there. Outright dismissing JWTs is not correct.