JWTs: A secure and stateless way to implement authentication (opens in new tab)

(medium.com)

14 pointsDirak7y ago6 comments

6 comments

3 comments · 1 top-level

DirakOP7y ago· 2 in thread

This article serves as a rebuttal to http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-fo.... It deconstructs each criticism presented and explains why JWTs are a secure and elegant solution to authentication. It also goes over how one would go about implementing authentication securely using JWTs with Node + Express + Passport.js.

chii7y ago

The biggest criticism from the original article is that you are unable to revoke jwt individually. This was not debunked nor mentioned (unless I blind and didn't see it, in which case I apologize).

nerdwaller7y ago

There’s nothing really stopping you from revoking a JWT individually - simply keep the `jti` (or any arbitrary claim) in memcached/redis/etc and check it. Obviously it’s no longer stateless and gives up some of the benefits of a JWT, but it’s a solution if revocation is a business requirement.

Like everything, there’s no silver bullet (JWT vs random string token) - business requirements dictate which makes sense.

1 more reply

j / k navigate · click thread line to collapse