JWT Endpoints

[aarondl]

We should have endpoints that can create (or optionally create) JWT tokens instead of what we do now which is simply use HTTP responses everywhere.

[codelitt]

This is worth a read around the security issues with JWT: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/

Also Thomas Ptacek (former Monsanto founder) here on JWT: https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens

[aarondl]

@codelitt I will get to reading these. I do want to know what the alternative is though. We do need to have some mechanism for APIs to authorize themselves.

[aarondl]

(Actually I've already read the second one and it's just complaining about a security vulnerability that was fixed ages ago in Go's main JWT library). Will read the first one ;)

[codelitt]

This thread as well as main article are worth a read - https://news.ycombinator.com/item?id=13865459

There are a few issues with JWT - vulnerabilities, unneeded complexity, bad crypto, and stateless tokens which are unnecessarily difficult to revoke. Both tptacek and technion bring up some good points. There are enough crytpo and security experts (smarter than me) saying don't use it with vigor to put enough serious doubts in my mind.

With that said, I can start putting together some alternatives.

PS - I don't mean to be a naysayer. I just have a vested interest in Authboss being as secure as possible as we have applications using it.

[aarondl]

@codelitt Hey, hoping to start back on regular efforts towards the 2.0 milestone. Wanted to touch base with you guys and share some upcoming plans for Authboss 2.0 and ensure it's going to work for you guys going forward since you seem to be fairly interested. Not sure what the best forum for that is, could do a Hangout or Gitter or what have you.

I also wanted to mention that JWT is as optional as optional pieces come. It's all pluggable in AB as you've noticed, and it's going to stay that way :)

[codelitt]

Ya. I would be happy to jump on a Hangout or similar. Would be best for me next week though. My email is cody@{my github username}.com if you want to set something up.

[kaiomagalhaes]

Yeah would be happy with Hangouts as well. My email is me@{my github name}.com

[codelitt]

@kaiomagalhaes ya man. Check your work email. I cced you on a thread.

[PManager1]

so are we still going to provide jwt token based auth ?

[aarondl]

That's the plan yes. It's opt-in as most things are in authboss so it won't deter anyone from using it if they want to.

[aarondl]

Not implementing in core.

[kockok]

Hello, is jwt ready?? Or you have no plans to implement it.

[aarondl]

My previous comment says: "Not implementing in core." meaning I am not only not planning to do this, I am actively against putting this in the core of authboss.