On Sun, Apr 26, 2020 at 8:29 AM James Bennett <ubernost...@gmail.com> wrote:
> JWTs are an absolute security nightmare. Some of the Django security > team have heard me rant on this topic already, but: there is no such > thing as a safe JWT implementation, because there are fundamental > flaws in the design of JWT that cannot be remedied by just writing > better implementations. > Given this thesis, your conclusion makes sense. I use JWTs in my application, because my domain is particularly suited to it IMO, and while I can't speak for everyone on this list, I'd be interested to hear your complaints about the design of JWTs. For my own thinking, I find that the inclusion of the standardized algorithm field was a design mistake. It can be papered over by a good library implementation, but that so many libraries got it wrong is evidence of a flaw in the protocol design, IMO. However, I'm not aware of any other standard payload-signing mechanism that has the well-defined capabilities that JWTs have, without that issue. That's fairly likely to be ignorance on my part, and if a more suitable standard were available to me, I'd happily switch my application to using it. Obviously JWTs are indeed popular, and I don't particularly find that the issue I mentioned above to be a total showstopper (although obviously very unfortunate). Perhaps in email or a blog post or just a list of links, would you be willing to share your complaints? Are there better designs for a similar protocol that overcome your objections? Ryan -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CABpHFHQ6M6ODzjX9aXxY-nbZRu5hFHq-nUcviGvzdX8U_NwePw%40mail.gmail.com.
