Hacker News new | ask | show | jobs
by ForHackernews 3 days ago
And they've published updates[0] and libraries have hardened their defaults and removed support for insecure values (e.g. alg='none'). I'm not sure what more you want?

I'd rather use a refined, battle-tested standard with lots of eyes on it than some new untested contender produced by a handful of upstarts ("look, we just designed it right from the beginning! This time it's perfect!") PASETO reeks of second-system syndrome.

[0] https://www.rfc-editor.org/info/rfc8725/
1 comments
tptacek 3 days ago
I don't recommend PASETO either.
link
doc_ick 3 days ago
What do you recommend then? What technology has been designed, completed, then used for years without any updates or problems?
link
kasey_junk 3 days ago
Bearer tokens are a dead end? You have to validate them anyway so traditional auth is the fallback.
link
tptacek 3 days ago
https://fly.io/blog/api-tokens-a-tedious-survey/

tl;dr: most of the time you should use opaque random strings.

link
ForHackernews 3 days ago
API tokens are a very small narrow part of the authorization universe. Having a shared secret relies on a trust relationship between the resource server and the identity provider that does not exist between, say, my SaaS backend and Google or Meta's login system.
link
unscaled 3 days ago
The OP was talking about sessions (which include session cookies and API tokens). I'd argue these use cases are far more common for the average programmer than tokens and signatures that are used for federation, but I'll bite the bullet here:

JWT is a serviceable solution for service trust and federation. This use case often just requires a very-short-term token, so lack of revocation support is not an issue. Replay attacks are still an issue, but they can also be prevented with single-use nonces that are included in the token claims.

The OP's take (and my take as well) is that JWT is rarely the BEST solution for this use case. You kinda have to use it if you need to implement a standard that mandates JWT such as OpenID Connect. But OpenID Connect is a great example for a place where JWT was used, but was never really necessary. If you do use the authorization code flow securely (on the server side, with a strong client secret and proper CSRF protection) you don't need the ID token. In fact, you don't need to use any cryptography at all! Just like random session IDs, you've got a stateful solution that works reliably without any cryptography.

If you cannot do a series of authenticated network requests between HTTPS endpoints to verify trust, then a signed payload could be useful, but you've got better standards than JWS/JWT for that. That's all.

link
ForHackernews 3 days ago
> If you do use the authorization code flow securely (on the server side, with a strong client secret and proper CSRF protection)

This restriction precludes all desktop clients, mobile clients, and webapp clients -- any place where you can't trust the client code to protect a secret.

I don't exactly disagree with you: Security becomes much easier once you rule out handling all the hard edge cases.

link
tptacek 3 days ago
https://www.latacora.com/blog/2018/06/12/inter-service-authe...
link
doc_ick 2 days ago
That’s dodging the question, and a very generic and blank recommendation.
link
tptacek 2 days ago
Seems like a very specific recommendation?
link
doc_ick 1 day ago
I asked for a perfect tech in your eyes, that once created was never updated or improved upon.

*edit: a recommendation for random strings in most cases isn’t perfect

link