top | item 40492440

(no title)

bebop | 1 year ago

I would add two pros of jwts (I guess oauth 2 and oidc more specifically)

1. It standardizes your auth system. While sessions auth is mostly implemented in the same way across systems, learning oauth and oidc gives you a standard across the industry.

2. Jwts give an easy path to make “front end” applications and api authentication work in the same way. This in theory reduces your security surface area as all of your authnz code can be shared across your offerings.

discuss

andoando|1 year ago

3. Easy to implement. 4. Dont need to hit db. 5. Can store some information with the claim which is very convenient

pests|1 year ago

How do you revoke tokens if a one gets leaked without hitting a db? How long are your users vulnerable to attack?

tracker1|1 year ago

I'd add that it's easier to abstract your software service from authentication. It's allowed me to write bridge signing from AzureAD, Okta etc, to a supported application deployed to differing environments on client hardware and readily integrating to different SSO systems.

treve|1 year ago

OAuth2 has no dependency on JWT, and _most_ authentication cases don't need OIDC, OAuth2 is enough.