Echo JS 0.11.0

<~>

tracker1 2077 days ago. link 2 points
The only implementations of JWT I've actually seen in the wild, or would actually support are using asynchronous RSA public/private key signing.  This allows you to have a trusted signing authority, which is imho better than a shared secret between two systems.

Also, only use trusted authorities where the actual public key is side-loaded from an internalized resource.  Do *NOT* trust/use the header portion of JWT for this part.

The article itself is a bit too shallow and doesn't really discuss how this can work in access infrastructure, which becomes more common in a corporate or larger social interaction.  There's also how to develop/design services to consider.

Beyond this are considerations for token duration, refresh and revocation.

NOTE: currently working on an access/identity management system centered around JWT tokens for multiple applications.