re: Be careful of the JWT hype train VIEW POST

VIEW FULL DISCUSSION
 

You don't need JWT, so don't take it that way; but I think you've perhaps had some difficulties and you're perhaps missing a thing or two:

  • on transience: a session cookie has transience too -- and it can be stolen just as effectively as a jwt. Anything which has "physical" access to the document can hijack cookies or localStorage. Anything "on the page" can steal my auth cookie too. Cookies won't save you here.
    • naturally, the fix is to make your jwt have a short lifespan and include a renew token which is automatically used when a web call encounters a 401. Handling expired tokens isn't really your problem -- there are already good frameworks to deal with this, and good auth providers (like Auth0) so you can have someone else deal with this complexity and the security of your user data in a professional manner.
  • No-one said you had to include the JWT as a bearer token. You can use it however you like, including as a cookie
  • There must be no secret data in a JWT. If there is, you're doing it wrong. The point of the JWT is to allow the front-end to make display decisions based on the user's scopes. Your backend still has to implement real security. The front-end should be able to validate the JWT, if it really wants to, by hitting and endpoint. NO JWT SECRETS MUST BE AT THE CLIENT. You should be using something like the OpenID Connect flow, where your login and secrets are done server-side, giving back a token to the web client. The other flows are meant for server-to-server processing, so if you're using them in the client, yes, you're doing it wrong and yes you're not secure at all

All of this is not to say you can't (or shouldn't) use session-based auth -- go ahead! JWTs just make it easier to:

  • make client-side display decisions for the user (eg if she doesn't have access to the admin area, don't show the links)
  • centralize your authentication and authorization in one service which doesn't have to be duplicated across web apps. This service can be queried for token validation as and when necessary.

Doing JWTs properly is hard. I've done it a few times -- and wrong a few of those times! But where I'm standing, the friction to get them working with something like IdentityServer is so low and the benefits for "heavier" client-side web applications outweigh the small setup cost.

code of conduct - report abuse