Long time software architect, CTO Authress, creating application security plug-ins for any software application with Authress. Talk to me about security in microservices or service authorization.
Article suggests using the Auth0 jsonwebtoken library, but this one doesn't actually support all the necessary token types
Specifically it seams that UserFront creates RSA tokens, when this is no longer the best solution. It may be good to check out the alternatives to see if one of the standard SaaS solutions does provide this
The JWT in the article isn't a valid access token according to the openId specification. This is pretty common problem which makes it impossible for clients and users to integrate effectively. It should look something like this:
For context, we are building Userfront for simplicity and usability in the vast majority of use cases. In doing so, we use defaults like userId instead of sub so that it makes sense to most developers without having to delve into confusing terminology. We will eventually introduce the ability to format tokens to different standards for specific use cases like you mentioned, but for now we present it as simply as possible. It's worth pointing out that all are valid JWTs according to the JWT specification.
Would love to hear more about your comments on the jsonwebtoken library. It is easily the most popular library and why we recommend it. What do you not like about it?
For RSA, that is the NSA's recommendation, so that's what we use. You'll have a tough time convincing us otherwise!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Need to be careful of a couple of things:
Thanks for your thoughtful response @wparad !
For context, we are building Userfront for simplicity and usability in the vast majority of use cases. In doing so, we use defaults like
userId
instead ofsub
so that it makes sense to most developers without having to delve into confusing terminology. We will eventually introduce the ability to format tokens to different standards for specific use cases like you mentioned, but for now we present it as simply as possible. It's worth pointing out that all are valid JWTs according to the JWT specification.Would love to hear more about your comments on the
jsonwebtoken
library. It is easily the most popular library and why we recommend it. What do you not like about it?For RSA, that is the NSA's recommendation, so that's what we use. You'll have a tough time convincing us otherwise!