What best way for JWT authentication?

Ilya · September 27, 2020, 7:40pm

What best way to use JWT authentication in phoenix?
pow, guardian or maybe some thing else?

Thanks

andreaseriksson · September 27, 2020, 8:35pm

I would say Guardian. But I have not made an extensive comparison.
Aslo, you can use Guardian with Pow or other libraries.

hauleth · September 27, 2020, 9:03pm

If it is user facing auth then I would say - don’t. Just use regular session cookies, and if you want signed tokens, then PASETO is better choice.

thojanssens1 · September 28, 2020, 5:53am

Have also a look at phx_gen_auth which will eventually be part of Phoenix:

It’s not JWT specifically but it uses token.

chungwong · September 28, 2020, 6:45am

The hatred of JWT almost jumped out from my monitor, vividly.

darnahsan · September 28, 2020, 6:58am

can paseto be used with guardian ?

hauleth · September 28, 2020, 11:29am

It is not hatred, it is more of a pity. JWT is abused in places where it shouldn’t be used as stateless tokens aren’t suitable for general purpose authentication. Also JWT just done poor choices from the security viewpoint. It is much better to use versioned and fixed set of small, proven, and chosen by experts, algorithms than to allow everyone to pick their own, as in the end it can cause leakages. PASETO for stateless tokens (when needed) is much better. However for general purpose authentication over HTTP it is much better to use sessions with good old signed cookies (especially if marked as http-only cookies).

In general - when used properly, JWT isn’t that bad, but there are better options for such uses anyway.

No idea. I do not use Guardian at all.