[willeh]

Regarding auth, I absolutely bought to JWT cool-aid but honestly if you're still on the monolith phase just use the most popular auth framework for your language. JWT adds a lot of complexity and room for misconfiguration, you do get something in return of course - it is stateless (hence scalable), works great with microservices, and improves your security model somewhat by separating issuing from verification. But you do have to pay for it, expiry gets tricky, the client code gets trickier, permissions get trickier. For most people it just isn't worth it

[mooreds]

I think that a standalone auth solution is a good idea when you start to have multiple applications (microservices or not) that want to have the same user database. These could be multiple custom apps or COTS or OSS.

You don't have to use JWT to get a standalone solution (see for example this guide which I wrote: https://fusionauth.io/docs/v1/tech/guides/single-sign-on/ JWTs are used briefly, but most of the heavy lifting is done with application sessions).

If you have a single application, definitely use devise, passportjs, spring security or whatever is in your framework. 100% agree. But pretty quickly you often are adding in a forum, helpdesk, GSuite for employees, etc etc and having a single source of truth for a user is good.

[mcescalante]

We are going through this currently. Have a large new system going in which relies on OAuth and JWTs and our IAM team is now spending a lot of time & energy with the developers on all of the use/edge cases with tokens, expiry, security, and whether the code should be in the client or the server. In the end it'll work out, but I completely agree that grabbing the most popular auth framework for your language will save a lot of headaches in the vast majority of cases.

[sjaak]

To make things easy I usually use "alg":"none". It makes using jwts a breeze.

https://datatracker.ietf.org/doc/html/rfc7518#section-3.6

[commandlinefan]

I recently discovered the TLS_NULL_WITH_NULL_NULL SSL ciphersuite (https://datatracker.ietf.org/doc/rfc5246/) - it makes analyzing network traffic so much simpler, and you don't even have to deal with certificates any more!

[mooreds]

Like a sibling comment said, hopefully this was tongue in cheek.

If you use "none", anyone can forge a JWT that says anything. I always say:

* You should have some other way of verifying that the JWT was unchanged by the client, like say being on a private network or using client TLS certs

and

* You should benchmark and know that the signing overhead is a significant source of performance degradation in your system.

Otherwise, sign your JWTs! :)

[jaywalk]

I hope this is a joke.

[sjaak]

It was, but judging by the downvotes my delivery was off :)