I’m working on a new API, and digging (once again, why not?) on how to provide auth capabilities to it, I found an interesting post about why we should avoid using JWTs and all the JOSE standards to do this:
I remember reading another post by @joepie91 some time ago: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ with similar claims.
So, a proposed solution is the PASETO (Platform-Agnostic SEcurity TOkens) standard: https://paseto.io/ which is already implemented in several languages (including Elixir), it claims the benefits of JOSE without the many design deficits:
A Platform-Agnostic SEcurity TOken (PASETO) is a cryptographically
secure, compact, and URL-safe representation of claims intended for
space-constrained environments such as HTTP Cookies, HTTP
Authorization headers, and URI query parameters. A PASETO encodes
claims to be transmitted in a JSON [RFC8259] object, and is either
encrypted symmetrically or signed using public-key cryptography.
This with a stateful server to have control over sessions and/or refresh tokens look like a good way to go.
My main question is: why this? and not something else like Phoenix tokens, or Fernet, or just stay with JWTs which seems to be used everywhere now and more battle tested. I have no background or deep knowledge on cryptography, so any help to dilute my doubts will be appreciated.