Friday, 19 February 2016
Afterward, I was discussing the talk with an old colleague I hadn't seen in years. He seemed impressed and told about how this was just what he needed to secure some of his legacy REST endpoints. I remarked that yes, JWT is good and we use it in Keycloak as part of our OpenID Connect implementation. I also said that I thought it was a mistake to roll your own. You wouldn't really do this yourself. You would use a tool that manages the tokens for you. He didn't seem convinced, and I didn't have a good coherent argument so I dropped the subject.
Then that evening there was another talk that mentioned JWT. This presenter told us, no, JWT is bad. He says, well, it's not really bad. It's probably the best choice if you know what you are doing. Then he proceeded to tell us about security problems in old versions of JWT libraries and how even with the latest code you might not get it right.
Though it wasn't really the focus of his talk, this guy seemed to be saying that the best solution is to "roll your own" token.
But I wish my friend had seen that talk as well. Now I had my answer for him. Security is hard. Use Keycloak or use some other product. Just don't get cute and try to do JWT yourself.
Thursday, 4 February 2016
Today we have two releases. As 1.8.0.Final was released before WildFly 10 Final was available, we decided to release 1.8.1.Final which is now built on top of WildFly 10 Final.
The bigger release today is 1.9.0.CR1, this release contains a large number of bug fixes and improvements, but no major new features.