
Strategies for implementing user authentication in serverless applications - kiyanwang
https://serverless.com/blog/strategies-implementing-user-authentication-serverless-applications/
======
ChrisSD
I find it slightly bemusing to hear JWT called "a growing favorite for
serverless projects". I thought we'd past the favourites phase years ago and
now we're on to the backlash phase.

Or maybe that's just HN?

~~~
lwansbrough
Not sure what there is to backlash against with JWT, when implemented
correctly.

~~~
upzone3
One of the biggest issues is revocation, i.e. you can’t. Sure, you can always
keep track of JWTs and refuse to accept ones that have been revoked, but
congratulations, you’ve just invented session tokens (albeit more
complicated).

~~~
Doxin
A slightly more sensible revocation scheme would be to keep a counter attached
to the user in the database. For the cost of a single int in your database you
can bulk invalidate all the tokens for a specific user: just increment the
counter and make sure to not accept tokens with the counter too high or too
low.

But yeah at that point you might as well go for session tokens as you need a
db request anyways.

