I thought we decided that jwt is snake oil and we should not use it?
JWT could work in theory, but it’s a near certainty you’ll have implementation bugs or something else will go wrong. I would avoid.
Can either of you cite or explain why you thing JWTs are a poor choice for securing an API?
Thanks for the link. Having briefly googled, I found other security consultants (including Patagonie who is actually on that PR thread) who have blasted JWTs, but only concrete details of implementation bugs. What I don’t understand is why this particular security consultant along with others think that the specification and RFCs are not valid or secure (as otherwise, I can only imagine to have improved implementations over time). I’m no cryptographer by any means, but as someone just in the middle of an auth system redesign (adding APIs to the mix of our more old-fashioned stateful webapps), I’m very concerned as to whether or not there is something to be concerned about.
Oh, found another reference. (I happened to have the bug link handy.)
The short version is maybe you can do JWT right, but it’s designed to provide as many opportunities for things to go wrong as possible. That rarely works out well in practice.