pggalaviz

pggalaviz

PASETO vs JOSE (JWT - JSON Web Tokens) (protocols/standards for managing user sessions)

Hi everybody,

I’m working on a new API, and digging (once again, why not?) on how to provide auth capabilities to it, I found an interesting post about why we should avoid using JWTs and all the JOSE standards to do this:

https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid

I remember reading another post by @joepie91 some time ago: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ with similar claims.

So, a proposed solution is the PASETO (Platform-Agnostic SEcurity TOkens) standard: https://paseto.io/ which is already implemented in several languages (including Elixir), it claims the benefits of JOSE without the many design deficits:

A Platform-Agnostic SEcurity TOken (PASETO) is a cryptographically
secure, compact, and URL-safe representation of claims intended for
space-constrained environments such as HTTP Cookies, HTTP
Authorization headers, and URI query parameters. A PASETO encodes
claims to be transmitted in a JSON [RFC8259] object, and is either
encrypted symmetrically or signed using public-key cryptography.

This with a stateful server to have control over sessions and/or refresh tokens look like a good way to go.

My main question is: why this? and not something else like Phoenix tokens, or Fernet, or just stay with JWTs which seems to be used everywhere now and more battle tested. I have no background or deep knowledge on cryptography, so any help to dilute my doubts will be appreciated.

Most Liked

ianleeclark

ianleeclark

Hey, I actually wrote the Paseto library for Elixir, so I’ll explain my reasoning behind it:

1.) Much saner defaults than JOSE (specifically the algorithm issue). We’re removing the decision making process behind chosen crypto by enforcing sane defaults
2.) Preferring JWT/Paseto enables language agnostic backends (beyond just a happy path of Ruby → Phoenix), rather than relying only on semi-exclusive formats.

Finally, it’s really easy to get small JWT/Paseto’s if you only keep sane information in the token: bitmasks for auth flags, don’t stick the entire user model in the JWT, &c.

I wouldn’t use a Paseto unless I were working in a microservice architecture–I’d default to normal sessions.

idi527

idi527

I think it mainly depends on what you are going to use these protocols for. JWT and by extension PASETO are good for one-off requests, like “hey, image service, resize me this image, here’re my creds”. They might not have many advantages for anything else (as the second article you linked argues).

OvermindDL1

OvermindDL1

I use CacheX as a cache, it is backed by ETS. You can have it acquire data from lookup functions if it is timed out or doesn’t exist or so, thus all access can be done ‘through’ it. Anytime you want to ‘write’ to the database just clear the cache at the same key on all nodes or just directly inject the new data. This is fantastic for read-very-often data with little writing.

If you do lots of writing, just do database access every time, like really.

Honestly you should just start with database access anytime anyway, it’s super fast as it is, and with a good module setup you can change how it works (such as to CacheX) at any time.

Where Next?

Popular in Discussions Top

jswny
I would like to better understand what the advantages/disadvantages of umbrella applications are compared to structuring your app as as s...
New
blackode
Elixir Upgrading is so Simple in Ubuntu and It worked for me Ubuntu 16.04 git clone https://github.com/elixir-lang/elixir.git cd elixir...
New
Nvim
Elixir appears to be a superior language to Python. I don’t see any advantage of Python over Elixir. Are there any?
New
AngeloChecked
What learn first? Rust or Elixir Hi Elixir community! I’m here because i want learn a new language. I’m a junior developer and mainly i ...
New
arpan
Hello everyone :wave: Today I am very excited to announce a project that I have been working on for almost 3 months now. The project is...
New
Crowdhailer
I’ve been hearing much about the new formatter and it’s something I have been keen to try. I find examples buy far the most illuminating...
248 19204 150
New
100phlecs
Are there any downsides, like perf issues, to putting all functional components in CoreComponents as long as you prefix it with the conte...
New
AstonJ
Can you believe the first professionally published Elixir book was published just 8 years ago? Since then I think we’ve seen more books f...
New
opsb
We’re considering our architecture from a viewpoint of scaling our traffic heavily over the next 6 months. Our current deployment is runn...
New
Markusxmr
Since Drab has been developed for a while in the open, introducing the Liveview functionality in a way it happend appears to undermine th...
New

Other popular topics Top

9mm
I am constructing a JSON object (map) and I need to conditionally set a field. I’m trying to write proper elixir-way code… and I’m at a l...
New
senggen
Erlang/OTP 25 [erts-13.2.2] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:1] 15:22:35.803 [error] gen_event {lager_file_backend...
New
jononomo
I am trying to figure out how Mix knows whether the environment is test, dev, or prod – where is this set? Thanks.
New
msaraiva
Surface is an experimental library built on top of Phoenix LiveView and its new LiveComponent API that aims to provide a more declarative...
564 43622 214
New
chrismccord
This release brings a number of exciting features, including integration with the new Phoenix LiveDashboard and Phoenix LiveView. There h...
New
Qqwy
Original source of discussion: This topic on the Pragmatic Programmers’ Functional Web Development with Elixir, OTP, and Phoenix forum. ...
New
alice
Hey, Just curious what are the main benefits of Elixir compared to Clojure? When is Elixir more useful than Clojure and vice versa? Th...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
bsollish-terakeet
Credo is smart enough to check for (something like) this: assert length(the_list) == 0 with this response: Checking if an enum is empt...
New
rms.mrcs
Hi, I need to transform a list of numbers into a map where the keys are the indexes and the values are the original values of the list. ...
New

Latest on Elixir Forum

Elixir Forum

We're in Beta

About us Mission Statement