Hacker News new | past | comments | ask | show | jobs | submit login

Why avoid JWT? Has there been some new development regarding it that makes it unsuitable for auth? I just started using it in a new app...

That recommendation is due to JWT not taking revocation into account at all, if I remember tptacek's stance correctly. Personally, I agree.

This has been discussed on HN before and I remember talk about using "fancy" stuff like Bloom filters but as far as I know, no library offers anything for this out of the box and this is not something you want to roll yourself.

The recommendation seems to be using an encrypted cookie, with some format other than JWT.

Which is fine and well. But how does that take revocation into account?

You can store a token on the client side, in ANY format. The problem remains that you're either storing some server-side state about that token, or you aren't. If you are, then you're not really using client-side sessions. If you aren't, then you still don't have a good way to revoke. Because you can't really control the client-side after you've issued a token, and you can't revoke it from the server-side without state.

I'm sure there are good arguments to be made against the use of JWT. But their simply aren't any to be found in this thread, and no alternative client-side proposal that solves the revocation problem.

Lack of revocation is actually pretty far down my list of reasons, but it's a very common complaint other people have about JWT that I also agree with.

Revocation was something I did consider, but I am just using a users password hash as the token key, that way when the user changes his password, all previous tokens are invalidated.

Can you remember where this was discussed? I was under the impression that JWT was becoming a new standard for many people. I guess that's not mutually exclusive to it being bad, but I would like to read more.

JWT is popular with application developers. I think that's because it's cross-stack. Rails developers already have solutions for 95% of the problems JWT solves in the real world. So do Django developers, and so do Go developers, and so do PHP developers. But there's no lingua franca for this problem.

Developers would like there to be one. Unfortunately, they've chosen a terrible standard --- just really, really bad --- to run with. You are better off doing something by hand than using JWT. If you're at all familiar with my ouvre on HN: that's how bad JWT is. I think you might seriously be better off DIY.

This is at least one discussion:


Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact