Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Cerbos Profile picture
Cerbos
@cerbosdev
Do not reinvent user permissions. Self-hosted, open source authorization layer for your product.

Dec 19, 2022, 15 tweets

Let’s get our series started in which we make our case against token-based AuthZ.

JWTs are like a key and composed of three parts: a header, a payload, and a signature.

The payload contains information to identify the owner of the token: user ID, email address, etc.

These are called claims and essentially, they can hold whatever info you may need.

The signature is what makes a JWT secure, but JWTs are usually not encrypted.

The information is encoded (not encrypted), which means it can be decoded.

The way to keep JWTs secure is to make sure they are hashed using a secret.

If the hash and token signature don’t match, it means the JWT header and/or payload were tampered with 🚨

#JWT #JSONWebToken #authorization #permissions

Let’s talk about the differences between Token-Based Authentication and Token-Based Authorization.

Token-Based authentication uses a JWT (or similar) to verify the identity of a client.

A benefit of this is not having to fetch user data from a database.

This is why we call JWTs stateless: the API’s server doesn’t need to keep track of user’s session state.

Token-Based Authorization is similar, but JWTs can also be used to store authorization-based information like user permission and roles.

While this offers performance benefits, concerns emerge. We'll break the most serious issues down in our next post.

#JWT #authorization

Check out the attached images to find out why application developers should avoid using JWTs for authorization.

Have you previously used JWTs for authorization? What are your thoughts?

#JWT #authorization #concerns #permissions

One thing to remember is JWTs are not a cache. Just because you can shove a lot of information about a user, doesn’t mean you should.

This data is not hidden to anyone who can see the JWT and can affect the performance of HTTP requests.

You’ll eventually need to fetch a user anyway. JWTs are supposed to help prevent extra database requests to fetch user info.

Any non-trivial piece of business logic will need to know details about a user.

It doesn’t make sense to bloat your JWTs when you’re going to need to fetch that same info anyway.

We have shared our case against token-based authorization & will present an alternative solution in our next post.

#JWT #JSONWebToken #authorization
#concerns #permissions

JWTs can be a great way to authenticate clients, however, when it comes to storing authorization details, JWTs come with a number of risks.

JWTs come with the cost of larger HTTP requests, negatively impacting performance.

In addition to performance issues, JWTs face regulatory compliance difficulties, as well as expiration problems which leave you open to system attacks.

Solution ✅: A dedicated access control service like Cerbos can be a better option.

Cerbos’ ultra-fast API is designed to make access control decisions in milliseconds, while providing a simple way to configure them.

To learn more, check out our site & join our slack community. cerbos.dev/how-it-works

#JWT #authorization #permissions

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling