DEV Community 👩‍💻👨‍💻

Discussion on: Using JWTs for authentication—is it worth the effort?

Collapse
 
pmorch profile image
Peter Valdemar Mørch • Edited on

JWT was invented for OAuth2 and make super sense if you want to separate authorization and authentication from your app. E.g if you have several apps and want single sign on between them.

For authorization code flow (one "kind" of OAuth2), the tokens are only exchanged between the app and the OAuth2 server. Session cookies are used in the browser.

For a single-process app, I agree, it makes little sense with JWT. For a micro service architecture where there are many processes and you don't want them blindly trusting each other, JWT is übercool.

Collapse
 
dinosaurenby profile image
jayebird 🐙🏳️‍🌈 Author

might do a "microservices: are they more trouble than they're worth?" follow up lol

Collapse
 
pmorch profile image
Peter Valdemar Mørch

Sure....

And then you can choose the perspective you want to get the conclusion you desire:

For a single developer or 5: Microservices are overbloated and not worth the effort.
For 100+ developers developing different web applications where you want a seamless user-experience with single-sign-on between them, and that need to be able to release independently and have an otherwise-healthy architecture: Microservices do have their valid use-cases.

Collapse
 
bingalls profile image
Bruce Ingalls

Where do you find that "JWT was invented for OAuth2"? JWT (RFC7519) was created significantly later than OAuth2 (RFC6749). However, OAuth2.0 Tokens (RFC8693) accommodates JWT & other tokens.
JWT is part of the JOSE suite of JSON security. If JWT was created for anything, it would be OpenID Connect (akin to OpenID 2.0)

BTW this article skips the usefulness of JWT for native app development. as well as server-server communications (as you infer with micro-services)

Collapse
 
pmorch profile image
Peter Valdemar Mørch

Wups, probably my bad. Thanks for the correction.