DEV Community


Discussion on: Please Stop Using Local Storage

rdegges profile image
Randall Degges Author

No. Unfortunately, if you are using OAuth or OIDC that's the name of the game.

I'm not a fan of either protocol due to to their poor structure and implementation issues. The burden in using these protocols is everywhere: on the authorization server, on the client, and anywhere else :(

If you're stuck using those protocols just do the best you can with the tools you have.

suhas_chatekar profile image
Suhas Chatekar

Why would you say that? I have been using OIDC for some time without any significant issues. Can you shed some light on why you think these protocols have problems?

cowbert profile image

The very fact that you're posting on means you're already using OAuth, as it's the only auth mechanism for the site (via either Twitter or GitHub's IdP). There's only a few ways to implement CSRF-less and cross domain credential proxying and JWT is one of them. I don't necessarily agree with JWT, since by the time you get done implementing revocation and audit logging, you're just a hop and a skip from just having the IdP store "session" since at the end of the day either the JWT itself or a token wrappered with a cookie represents the user's identity to the application. If you're not facebook or some other huge platform with potentially a gazillion identity verification requests per second, signed JWT doesn't save you much compute anyway since it's expensive to generate the token signature vs. just having the IdP do a session lookup against something fast like Redis. On the other hand, you're not autospewing the contents of your cookie jar on every request to that domain either.