2 minutes
To JWT or not to JWT
This article is part of my #100DaysOfCode and #100DaysOfBlogging challenge. R1D17
At the IPC 2019 Authentication and Authorization was one of the two most interesting topics (event sourcing being the second). Sessions were comparing the usage of traditional authentication with the usage of JWT, maybe the future technology WebAuthn requiring no passwords for registration or login processes, using an identity provider instead of implementing our own processes over and over again, and not so quite common applications of web tokens - like physically opening doors.
- Knock knock, who’s there? Authenticating your Single Page Apps using JSON Web Tokens by Sam Bellen
- The Future of Authentication – WebAuthn with PHP by Arne Blankerts
- Why you shouldn’t care about Security by Ben Dechrai
- Opening Doors with JSON Web Tokens by Ben Dechrai
JWT - just a hype?
Today Gregoire Pineau published an article Why you don’t need JWT, in which he basically declares JWT as hype and says Basic Auth provides a simpler solution to the same problem (in most scenarios).
But most of the time, you don’t need JWT, and your project will be simpler if you can resist to hype by refusing to use it.
JWT adds complexity
Now, JWT is not something trivial. The process, purpose and usage of JWT, JWS, JWE as well as access tokens and refresh tokens take some time to grasp. Probably this complexity is why JWT is so often misused - one of the reasons which is used against the usage of JWT.
Gregoire lists in his post the following complexity points:
- Usage of private and public key.
Like all other secrets, it’s always hard to keep them really secret.
- No revocation of valid tokens, adding the need of e.g. white-/blacklisting.
- Short validity requires reconnect via refresh tokens.
- No native JWT implementation in Symfony.
Alternatives
In his post, Gregoire demoes an alternative solution by putting HTTP basic auth to work. In Symfony this can be done without any external dependencies. Another solution could be PASETO (Platform-Agnostic Security Tokens).
Conclusion
The article and security issues make valid points on why to avoid JWT. I have to do some further reading, to fully understand whether the flaw is really in the design or implementation of JWT. What impresses me about JWT is a self-validating token and user storage which could make accessing the user database unnecessary in many scenarios.