[andrewstuart2]

> It's current year, why are JWTs only supported in the closed source/enterprise versions of Varnish, NGINX, and Traefik?

I've found auth at the proxy to be a major antipattern. It adds a semblance of your backend being secure without adding the real user authentication and authorization it should have directly.

VPN is the better tool if you want to keep certain projects hidden from the general public and your application should be handling the JWT (hopefully in current year we're talking OIDC or some additional open standard on top of JWT) itself in order to properly enforce access controls.

[miiiiiike]

With JWTs I don't do anything at the proxy beyond "This is a protected route. Is there a JWT? Is it valid? No to either? 403." This is one of the primary use cases for JWTs and it takes a majority of the load off of my application servers.

The route is open to the public for authenticated and authorized users. You wouldn't use a VPN here.

[andrewstuart2]

That's really just added work, IMO, and likely room for security misconfiguration between backend and proxy. You should still be validating and everything on the application server to inspect identity and possibly attributes like roles, so in the cases where you have invalid tokens you do the work once, just in the proxy instead of the backend, and with valid tokens you will do the signature validation work twice.

[miiiiiike]

Security starts at the edge.

Have you used JWTs in production? Better to bounce a bad JWT with a server written in C/C++/Rust/Go at the edge than to pass it back and have it tie up a Python or Node process.

Even in Python the time to validate a small JWT is negligible. At the edge it's nearly imperceptible.

[miiiiiike]

If you're concerned about misconfigurations, just verify/validate everything in tests.