
Auth with JSON Web Tokens - jpdlla
http://jpadilla.com/post/73791304724/auth-with-json-web-tokens
======
sunir
I still don't understand the benefit of JSON Web Tokens over cookies after
reading this and the associated blog post by Alberto Pose

[http://blog.auth0.com/2014/01/07/angularjs-authentication-
wi...](http://blog.auth0.com/2014/01/07/angularjs-authentication-with-cookies-
vs-token/)

They seem like they are recreating the cookie mechanism using browser local
storage and HTTP Authenticate headers, but without any of the associated
browser security. I guess the use case would be when you want use a cookie
across domains...?

Aren't cookies restricted for a reason? Can't anyone who can execute JS on
that domain can swipe the JWT token out of storage and then impersonate the
user?

One reasonable use case for JWT is to replace SAML assertions for single-sign
on (SSO) from one web application to another, like Zendesk is doing:

[https://support.zendesk.com/entries/23675367-Setting-up-
sing...](https://support.zendesk.com/entries/23675367-Setting-up-single-sign-
on-with-JWT-JSON-Web-Token-)

Here, the JWT is stored not in the browser but on the server in the app trying
to SSO with the identity provider (in this case Zendesk).

~~~
woloski
Hey, Matias founder of Auth0 ([https://www.auth0.com](https://www.auth0.com))
here (we wrote the original article).

re: cookies vs xss. Expanding on sil3ntmac comment, based on my experience,
it's easier to protect against XSS than protecting against CSRF. For CSRF you
have to be aware of: set your cookies to HttpOnly and have a xsrf mechanism in
place (which is not straightforward and not the default in many web
frameworks, even worse if you start combining technologies). For XSS, you just
need to make sure any input is sanitized, which usually most of the web
frameworks provide something built-in.

Another interesting side effect of using JWT is that now you have a good
cross-platform authentication mechanism that can cross boundaries. You can
also achieve that with cookies, but you have to find the same implementation
on different frameworks. We talk about this in this blog post about socket.io
and json web tokens where it's very common to find PHP and node.js mixed.

[http://blog.auth0.com/2014/01/15/auth-with-socket-
io/](http://blog.auth0.com/2014/01/15/auth-with-socket-io/)

We will write follow up blog posts about pros/cons, because as usual there is
no silver bullet.

------
brissmyr
Worth mentioning is that JWT is used in the OpenID Connect standard, which is
built on top of OAuth 2) for the authentication part. We use it in
[https://userbin.com](https://userbin.com) to smoothly transfer user sessions
between different platforms. Previously we used to roll our own
(de-)serialization, signing, session expiration and encryption schemes, but
JWT solves a lot of pain and makes it more obvious for developers to
understand how this part of our authentication flow works, and are able to use
the JWT libraries available in most programming languages.

~~~
aduth
Aside from the specifications, are there any resources you would recommend for
implementing OpenID Connect? The results of a quick Google search are
relatively sparse.

------
jessaustin
Much clearer than the various Internet-Drafts; thanks!

