DEV Community

Discussion on: React authentication, simplified

View post
Collapse
 
wparad profile image
Warren Parad • Edited

Need to be careful of a couple of things:

  • Article suggests using the Auth0 jsonwebtoken library, but this one doesn't actually support all the necessary token types
  • Specifically it seams that UserFront creates RSA tokens, when this is no longer the best solution. It may be good to check out the alternatives to see if one of the standard SaaS solutions does provide this
  • The JWT in the article isn't a valid access token according to the openId specification. This is pretty common problem which makes it impossible for clients and users to integrate effectively. It should look something like this: 
{
  "iss": "https://authress.io",
  "sub": "user_100822687410662214374",
  "iat": 1620125048,
  "exp": 1620211448,
  "scope": "openid profile email",
  "azp": "api.authress.io",
  "client_id": "9fe39cec",
  "aud": [
    "accounts.api.authress.io"
  ]
}
Enter fullscreen mode Exit fullscreen mode
Collapse
 
tyrw profile image
Tyler Warnock • Edited

Thanks for your thoughtful response @wparad !

For context, we are building Userfront for simplicity and usability in the vast majority of use cases. In doing so, we use defaults like userId instead of sub so that it makes sense to most developers without having to delve into confusing terminology. We will eventually introduce the ability to format tokens to different standards for specific use cases like you mentioned, but for now we present it as simply as possible. It's worth pointing out that all are valid JWTs according to the JWT specification.

Would love to hear more about your comments on the jsonwebtoken library. It is easily the most popular library and why we recommend it. What do you not like about it?

For RSA, that is the NSA's recommendation, so that's what we use. You'll have a tough time convincing us otherwise!