Hacker News new | ask | show | jobs
by sytringy05 2934 days ago
No, I meant in the context of server to server comms, as well as end user authn/authz.

I would say that jwt is becoming the standard for s2s. I’ve personally worked with a dozen or so corporate APIs that use it and basically all the Microsoft Azure / 365 services are secured with jwt.

I’m intrigued by macaroon because as tptacek points out JWT is easy to get wrong, you’ve got to deserialize json before you can authenticate the request and it’s also tempting to stuff all manner of things into the token claims.
1 comments
pvg 2934 days ago
Huh, yeah that's interesting, thanks. I'm obviously way behind the state of the art in JWT-hating.
link
lvh 2934 days ago
FWIW, this matches my experience. Large new enterprise systems have JWT all over the place.

My first pass counterargument to this is: great! You also have FAANG’s security budget and know how to find and resolve bugs like the FB OAuth2.0 tokens being replayable from 1 relying party to another, right? No? Oh.

The general subtext being: that’s nice but you know nothing of their rationale, underlying work that went into securing it, etc; so if you’re picking up a token metaformat without the massive work behind it, you’re just cargo culting.

link
pvg 2934 days ago
Yep, that makes sense. I'm having a bit of a 'oh, so that's why' moment while also feeling a little envious of a subfield where 'the inadequate size of your budget' is a viable starting point for a constructive conversation with a client.
link
lvh 2934 days ago
That's an argument from/with random people on the Internet, not clients. The nice thing about being around clients for a long time is that you build a working relationship with them based on mutual trust and respect.

That said, adequately informing clients of risk and dissuading them from nightmare projects they don't realize are nightmare projects yet is doing your clients a service. Sometimes that means advising them to avoid a feature. Sometimes it means implementing something slightly differently. Most of the time it's not even a trade-off. People use JWTs with just user ids in them, but not necessarily for any particular technical/philosophical reason that you have to address first :-)

link
pvg 2934 days ago
Hah, yes it was a dumb joke more than anything else. I do want to tip my hat and encourage you to write more of these, they are materially useful as reference in places beyond message board threads and contrived 'worst client ever' quips.
link
sytringy05 2933 days ago
I agree, this sort of discussion is invaluable. Thanks!
link