What is Any Forums's opinion on jsonwebtoken? Do you find it secure?
What is Any Forums's opinion on jsonwebtoken? Do you find it secure?
Jason Brooks
Other urls found in this thread:
en.wikipedia.org
twitter.com
William Johnson
I use it and put my trust in it but I know nothing
Brody Bennett
it's literally made by auth0
Matthew Cooper
They're perfectly fine if they fit your use case. I find myself reaching for paseto tokens more often though.
Aiden Walker
>is encrypted text secure?
Josiah Scott
In browser applications with distributed backend architectures, JWTs are okay for very narrow uses. People use them for more than they should. For native mobile clients they are more necessary, but have fewer security gotchas.
Owen Miller
Do you think base64 is encryption? JWTs are signed and encoded, not encrypted.
Nathan Adams
it's about the expiry and refresh times. make sure they're configured correct and all's good.
Jordan Morris
>commonjs module
Ryan Murphy
wait, you unironically prefer JWS to JWE? lol
Liam Hall
>you unironically prefer JWS to JWE?
I don't "prefer" them, but they're almost always what people are referring to when they talk about JWTs
Owen Roberts
So OP is asking
>is signed text secure?
did i get that right?
Ethan Perry
"alg": "none"
Security is for pussy.
Hunter Cook
Yes
Robert Brown
>signed text
explain
Ryder Lee
JWTs are base64-encoded JSON objects with a cryptographic signature appended.
Dominic Lee
Brayden King
JWT is overkill for most use cases where a simple session token would have been more than adequate. The single benefit they offer is usually offset by the downsides.
John Harris
>JSON
No. Why they don't use binary? Binary web token
Jaxon Lee
What are the downsides?
Hunter Stewart
Why would it matter? They're tiny.
Anthony Hughes
The biggest problem is that once you've issued a JWT there's no way to revoke it, it remains valid until expiration. If somebody manages to obtain a JWT through malicious means, there's no way to prevent them from using it whereas with a simpler session token you can just revoke it once discovered. If you wanted to you could have your systems check JWTs against a revocation list, but that would defeat the whole purpose of using a JWT in the first place.
Carter Miller
this is true but you can also put an ID claim in a JWT and revoke based on that
Joseph Cox
I have been a developer for years and I still don't understand auth
Anthony Hall
The point of a JWT is to allow the data within to be trusted without having to check with a central authority. If any part of the data within needs to be verified than what's the point of using the JWT? Just use a session token.