Friday, 19 February 2016

Musing on JSON Web Tokens

I just got back from the DevNexus conference in Atlanta.  There, I attended several security-related talks.  One of them was on using JSON Web Tokens (JWT).  The presenter explained that JWT is "session cookies done right".

Afterward, I was discussing the talk with an old colleague I hadn't seen in years.  He seemed impressed and told about how this was just what he needed to secure some of his legacy REST endpoints.  I remarked that yes, JWT is good and we use it in Keycloak as part of our OpenID Connect implementation.  I also said that I thought it was a mistake to roll your own.  You wouldn't really do this yourself.  You would use a tool that manages the tokens for you.  He didn't seem convinced, and I didn't have a good coherent argument so I dropped the subject.

Then that evening there was another talk that mentioned JWT.  This presenter told us, no, JWT is bad.  He says, well, it's not really bad.  It's probably the best choice if you know what you are doing.  Then he proceeded to tell us about security problems in old versions of JWT libraries and how even with the latest code you might not get it right.

Though it wasn't really the focus of his talk, this guy seemed to be saying that the best solution is to "roll your own" token.

Uh, no.

But I wish my friend had seen that talk as well.  Now I had my answer for him.  Security is hard.  Use Keycloak or use some other product.  Just don't get cute and try to do JWT yourself.