Cerbos Profile picture
Dec 19, 2022 15 tweets 8 min read Read on X
Let’s get our series started in which we make our case against token-based AuthZ.

JWTs are like a key and composed of three parts: a header, a payload, and a signature. Image
The payload contains information to identify the owner of the token: user ID, email address, etc.

These are called claims and essentially, they can hold whatever info you may need.
The signature is what makes a JWT secure, but JWTs are usually not encrypted.

The information is encoded (not encrypted), which means it can be decoded.

The way to keep JWTs secure is to make sure they are hashed using a secret.
If the hash and token signature don’t match, it means the JWT header and/or payload were tampered with 🚨

#JWT #JSONWebToken #authorization #permissions
Let’s talk about the differences between Token-Based Authentication and Token-Based Authorization.

Token-Based authentication uses a JWT (or similar) to verify the identity of a client. Image
A benefit of this is not having to fetch user data from a database.

This is why we call JWTs stateless: the API’s server doesn’t need to keep track of user’s session state.
Token-Based Authorization is similar, but JWTs can also be used to store authorization-based information like user permission and roles.

While this offers performance benefits, concerns emerge. We'll break the most serious issues down in our next post.

#JWT #authorization Image
Check out the attached images to find out why application developers should avoid using JWTs for authorization. ImageImageImageImage
Have you previously used JWTs for authorization? What are your thoughts?

#JWT #authorization #concerns #permissions Image
One thing to remember is JWTs are not a cache. Just because you can shove a lot of information about a user, doesn’t mean you should.

This data is not hidden to anyone who can see the JWT and can affect the performance of HTTP requests.
You’ll eventually need to fetch a user anyway. JWTs are supposed to help prevent extra database requests to fetch user info.

Any non-trivial piece of business logic will need to know details about a user.
It doesn’t make sense to bloat your JWTs when you’re going to need to fetch that same info anyway.

We have shared our case against token-based authorization & will present an alternative solution in our next post.

#JWT #JSONWebToken #authorization
#concerns #permissions
JWTs can be a great way to authenticate clients, however, when it comes to storing authorization details, JWTs come with a number of risks.

JWTs come with the cost of larger HTTP requests, negatively impacting performance.
In addition to performance issues, JWTs face regulatory compliance difficulties, as well as expiration problems which leave you open to system attacks.

Solution ✅: A dedicated access control service like Cerbos can be a better option.
Cerbos’ ultra-fast API is designed to make access control decisions in milliseconds, while providing a simple way to configure them.

To learn more, check out our site & join our slack community. cerbos.dev/how-it-works

#JWT #authorization #permissions

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cerbos

Cerbos Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(