re: Be careful of the JWT hype train VIEW POST

re: Actually, it's assumed that generation of JWT and exchange of it has to be conducted through SSL for security reasons. So I don't really think JW...

But JWT assumes that both parties know each other, JWT doesn't address that problem.

Nah pretty sure SSL doesn't work this way.

Since that technology just provides you a encrypted tunnel.

It does not identify you as who you are as a user besides basic information of the computer you are using.

No, the raison d'etre of SSL is that each communication is safe, so it can't be read or modified by a third party, exactly what JWT promises.

Yeah you are assuming that it identifies the user who are using it but the SSL only identify the computer itself is being used but the problem is that you can have multiple ppl using the same computer. So it is not that specific to the point of that it identify the correct information the user is using at the specific point of time

😵 in a nutshell, we already have session and ssl, the encryption is done by ssl and the identification is done by the session (or cookies or token). SSL is not about identification but that it is possible with a session that it doesn't require a special tool to configure.

So, why we need JWT? To replace ssl and session/cookies? Not really, we still use ssl and or session.

JWT allows a way to not have to check a central DB for every request to say an API. Albeit not w/o drawbacks as covered by this piece. So instead of -- 1) receive request, 2) look up user's session for info and to determine if it's valid, 3) serve user request -- with JWT you can eliminate step 2.

As the author describes for most small and medium sites, validating a request against a central session store is really not that onerous. It's only when you get into Netflix territory - then you have to worry about how to distribute all that state where it's always available and accurate in real time for any service that needs to authenticate the user.

code of conduct - report abuse