
Secure APIs Deployed to Kubernetes with OAuth2 Using JWT Tokens Leased by Vault - matyix
https://banzaicloud.com/blog/oauth2-vault/
======
benmmurphy
don't people use JWT because they don't want to have some external dependency
like a database. i'm not sure what using JWT + storing authentication state in
a database gives you. couldn't it just be easier to store the authentication
state in the database and give the user a 128 bit random token pointing to the
state. if you are worried about someone compromising the DB you can also key
the lookup by cryptographic hash instead of the storing the plaintext token.

~~~
matyix
We use JWT because the user data is already stored upront (w/out needing to
check a database) and it’s a well defined storage mechanism. With Vault we
check only the token ID not the full token, so it’s not a heavyweight select.
On the other hand we have 3d party (used internally) systems using the same
mechanism (e.g. Drone).

~~~
givehimagun
But then you have to handle expiration and revocation synchronously. Is the
extra network + cpu to unmarshall a token that much of a savings over 1 redis
call on the server for the user details?

------
matyix
The Helm chart with role binding and service account support to deploy Vault
is open sourced as well.

------
zie
We do something very similar, tho we don't use JWT, just a token, and store
the userID in the KV store.

How do you handle cleaning up the vault KV store? We have a separate process
that runs around cleaning up old tokens, but am open to a better way.

~~~
ah-
Vault does the expiration/cleaning up for you.

~~~
zie
You are mistaken: "Even will a ttl set, the secrets engine never removes data
on its own. The ttl key is merely advisory." \-
[https://www.vaultproject.io/docs/secrets/kv/index.html](https://www.vaultproject.io/docs/secrets/kv/index.html)

------
justonepost
Interesting, but you could just rely on short expiry with refresh as well.

------
tty7
Nice! I'm looking at doing something similar

