undefined | Better HN

0 pointsjameshart8y ago0 comments

Apologies for misattribution :)

So yes, this is precisely the problem with sending the message 'JWT is bad' when what you really want to send is 'bearer tokens are bad (and JWT is a badly designed bearer token)'.

I am reminded of the situation a few years ago where the message 'stop hashing/salting passwords with SHA1' got widely interpreted as 'Okay, I'll salt and hash with SHA256', when the real message that was needed was to use bcrypt.

But this time I'm not sure there's a bcrypt, yet.

0 comments

4 comments · 1 top-level

tptacek8y ago· 3 in thread

That argument doesn't work, because JWT isn't just a "bearer token". It's also potentially an asymmetric token, or any other mechanism someone tries to shoehorn into it next week. That's one of the problems with metaformats.

This post isn't a comprehensive argument against JWTs and isn't intended to be. We can't have the conversation about JWT in earnest until we understand the problem domain.

jameshartOP8y ago

I'm not really looking for a comprehensive argument against JWTs (they're a terrible solution to the wrong problem is a reasonable enough argument); I am looking for a path to move the conversation forward from 'Well OAuth2 supports JWTs as a way to authenticate without making a callback to the auth server, and we know we shouldn't try to roll our own scheme so HMAC(timestamp) seems a bit hacky, and macaroons seem halfbaked, and cert management gives me nightmares, so isn't just using what OAuth2 provides the safest option? After all, everybody else is doing it...'

pvg8y ago

We can't have the conversation about JWT in earnest until we understand the problem domain.

That you're taking it from there is really interesting. Are you finding a lot of JWT use when there's also some S2S auth setup?

sytringy058y ago

Everybody is doing it (at least where I'm from). There's good framework/vendor support for OAuth 2 and JWT breaks the nexus between the services and the magic auth server that must be called on each and every request.

Even with the horrors of the implementation ({"alg": "none"}) It's a risk that many organisations are willing to take.

1 more reply

j / k navigate · click thread line to collapse