When we talk about JWT, we are referring to the implementation of an access management system for resources. It is generally argued that JWT is easy and secure to use. However, as we saw in The Dark Side of JWT: Why It's Not as Secure as You Think?, this is not entirely true. In this article, we will design an authentication system that utilizes JWT. To begin, we will describe the needs we want to address. I understand that software architecture should involve identifying a problem and then choosing the most appropriate technology to solve it, rather than selecting a technology and trying to fit a problem into it. However, we will make an exception in this case to evaluate the feasibility of this technology.
And the cases we want to cover are:
- Ability to log in
- Ability to log out
- Ability to track created sessions and their timestamps
- Ability to log out of all sessions at once
- Ability to have different roles
- Security against XSS
- Security against CSRF
- To achieve all this, we will start with the first point and progress by revisiting and updating the previous points.
Let's remember that JWT is supposed to be:
- Easy to use
- Secure
- Stateless
- Fast
- Cross-Domain Authentication
It's important to remember that JWT is simply a way to secure permissions, much like sessions. On the other hand, we have authentication protocols such as OAuth or Password Grant. Throughout the upcoming entries in this series, we will be exploring and explaining each of the points mentioned earlier.
In the examples I provide, only the basic part of the code will be included. If you want to see the entire code, I recommend giving a star to this repository: https://github.com/Tlaloc-Es/fastapi-basic-api-template, where I will start uploading the content.
Top comments (0)