pggalaviz
PASETO vs JOSE (JWT - JSON Web Tokens) (protocols/standards for managing user sessions)
Hi everybody,
I’m working on a new API, and digging (once again, why not?) on how to provide auth capabilities to it, I found an interesting post about why we should avoid using JWTs and all the JOSE standards to do this:
https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
I remember reading another post by @joepie91 some time ago: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ with similar claims.
So, a proposed solution is the PASETO (Platform-Agnostic SEcurity TOkens) standard: https://paseto.io/ which is already implemented in several languages (including Elixir), it claims the benefits of JOSE without the many design deficits:
A Platform-Agnostic SEcurity TOken (PASETO) is a cryptographically
secure, compact, and URL-safe representation of claims intended for
space-constrained environments such as HTTP Cookies, HTTP
Authorization headers, and URI query parameters. A PASETO encodes
claims to be transmitted in a JSON [RFC8259] object, and is either
encrypted symmetrically or signed using public-key cryptography.
This with a stateful server to have control over sessions and/or refresh tokens look like a good way to go.
My main question is: why this? and not something else like Phoenix tokens, or Fernet, or just stay with JWTs which seems to be used everywhere now and more battle tested. I have no background or deep knowledge on cryptography, so any help to dilute my doubts will be appreciated.
Most Liked
ianleeclark
Hey, I actually wrote the Paseto library for Elixir, so I’ll explain my reasoning behind it:
1.) Much saner defaults than JOSE (specifically the algorithm issue). We’re removing the decision making process behind chosen crypto by enforcing sane defaults
2.) Preferring JWT/Paseto enables language agnostic backends (beyond just a happy path of Ruby → Phoenix), rather than relying only on semi-exclusive formats.
Finally, it’s really easy to get small JWT/Paseto’s if you only keep sane information in the token: bitmasks for auth flags, don’t stick the entire user model in the JWT, &c.
I wouldn’t use a Paseto unless I were working in a microservice architecture–I’d default to normal sessions.
idi527
I think it mainly depends on what you are going to use these protocols for. JWT and by extension PASETO are good for one-off requests, like “hey, image service, resize me this image, here’re my creds”. They might not have many advantages for anything else (as the second article you linked argues).
OvermindDL1
I use CacheX as a cache, it is backed by ETS. You can have it acquire data from lookup functions if it is timed out or doesn’t exist or so, thus all access can be done ‘through’ it. Anytime you want to ‘write’ to the database just clear the cache at the same key on all nodes or just directly inject the new data. This is fantastic for read-very-often data with little writing.
If you do lots of writing, just do database access every time, like really.
Honestly you should just start with database access anytime anyway, it’s super fast as it is, and with a good module setup you can change how it works (such as to CacheX) at any time.
Popular in Discussions
Other popular topics
Categories:
Sub Categories:
Forums
Popular Tags
- #ecto
- #liveview
- #troubleshooting
- #learning-elixir
- #deployment
- #library
- #erlang
- #testing
- #genserver
- #mix
- #absinthe
- #remote-other
- #otp
- #plug
- #how-to-question
- #macros
- #postgres
- #channels
- #elixirconf
- #exunit
- #discussion
- #code-sync
- #javascript
- #podcasts
- #onsite
- #dialyzer
- #docker
- #authentication
- #umbrella
- #full-time-contract
- #podcasts-by-brainlid
- #ecto-query
- #elixir-ls
- #phoenix_html
- #iex
- #blog-post
- #graphql
- #genstage
- #ai
- #websockets
- #supervisor
- #advent-of-code
- #elixirconf-us
- #distillery
- #processes
- #forms
- #api
- #metaprogramming
- #security
- #performance










