👍 Charles C. Pustejovsky III · Dec 8, 2019 · 9:41 PM UTC

👍 Charles C. Pustejovsky III

👍 Charles C. Pustejovsky III @CCPustejovsky

8 Dec 2019

Great talk from @rdegges from the @oktadev team on JWTs. youtube.com/watch?v=JdGOb7Ax… Takeaways: don't use them for my general authentication and authoerization. do use them for password reset.

ivorscott · Dec 8, 2019 · 10:46 PM UTC

ivorscott @ivorsco77

8 Dec 2019

or just use auth0 and trust their solution.

Randall Degges · Dec 8, 2019 · 11:06 PM UTC

Randall Degges @rdegges

8 Dec 2019

auth0 uses JWTs like everyone else :o

👍 Charles C. Pustejovsky III · Dec 8, 2019 · 11:09 PM UTC

👍 Charles C. Pustejovsky III @CCPustejovsky

8 Dec 2019

Does Okta? So you'd recommend rolling my own solution with JWTs for password reset and make sure to keep using cookie sessions for the other stuff?

Randall Degges · Dec 8, 2019 · 11:13 PM UTC

Randall Degges @rdegges

8 Dec 2019

Also, for what it's worth, I think the best long term solution is for the OIDC working group to change the specs.

👍 Charles C. Pustejovsky III · Dec 8, 2019 · 11:16 PM UTC

👍 Charles C. Pustejovsky III @CCPustejovsky

8 Dec 2019

What's the chances that's going to happen anytime soon? Maybe my time in the cryptocurrency community has jaded me on changes happening as soon as people would like lol

Aaron Parecki · Dec 8, 2019 · 11:37 PM UTC

Aaron Parecki · Dec 8, 2019 · 11:37 PM UTC

Aaron Parecki @aaronpk

8 Dec 2019

Replying to @CCPustejovsky @rdegges @ivorsco77 @oktadev

There are some big changes coming in the OAuth/OIDC community, but moving away from JWTs is not one of them. Like most things, if you know how to use them properly, JWTs are fine, which is why it's usually the best bet to go with a major provider's implementation.

Dec 8, 2019 · 11:37 PM UTC

ivorscott · Dec 8, 2019 · 11:52 PM UTC

ivorscott @ivorsco77

8 Dec 2019

Replying to @aaronpk @CCPustejovsky @rdegges @oktadev

yep