| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Lazare 1863 days ago

The point is that you probably don't want a truly stateless backend.

What you probably want is to store a small amount of critical state in a very fast, very scalable KVS, allowing most of the backend to be stateless.

So much of the discussion around JWTs boils down to "I want a stateful backend, how do I use JWTs for this?" (Answer: Not well. Why use JWTs?) Or "I have implemented a stateless backend, I'm using JWTs, how do I work around the limitations inherent in being stateless without adding state?" (Answer: You can't. Why are you using a stateless backend?)

That being said, if you really DO want a JWT replacement: PASETO, Fernet, and Branca are all possibilties. See, eg, https://www.scottbrady91.com/JOSE/Alternatives-to-JWTs There's also Macaroons, but I don't know much about them (http://macaroons.io/).

1 comments

cookiesboxcar 1863 days ago

Thanks for the thoughtful reply. I’m thinking in an enterprise context, where I have many apps, many apis, many teams. Bolting auth to the gateway (with jwt) makes a lot of sense, and for very sensitive endpoints, maintain a blacklist.

The high-perf kv is nice and all, but also quite complex at “enterprise” scale (meaning, lots of apps/people not throughput)

Lazare 1863 days ago

That's fair. Although you can bolt auth to the gateway with sessions, too.

Perfectly valid design to inspect the request at the gateway, strip off the cookie, look up the session, then attach the session data to the request and forward it off to your internal micro services.

Authn at the edge makes a ton of sense when you hit a certain scale, or if you adopt certain patterns, but a lot of the mechanics (cookies versus other headers versus included with the request, signed payloads versus opaque tokens) are orthogonal to that.

Plenty of people have adopted JWTs because they're "better for microservices", then next thing you know they've got a 80 different microservices all independently checking the JWT against a centralised revocation list. (...well, you HOPE all 80 are doing that, but inevitably, some won't be...)

I think handing authn right is more about culture than any specific tech, really.