On 09/11/2015 06:06 PM, Alexander Shorin wrote: > JWT is all good except one moment: it's not an alternative for OAuth (:
Yeah, that's true. However there are use cases where the same problem can be solved by using JWT instead of OAuth, maybe even in a better way. > And it's hard to say that it's simpler, especially in case of support > of all the algorithms on browser side. WebCrypto is not a common thing > yet. I don't see a point in supporting all available algorithms. Assuming that we restrict ourself to only implementing the HS256 and RS256 algorithms (at least as a start), which I think would be reasonable choice, it's likely going to be simpler both from a implementation and user perspective. Both HS256 and RS256 can be easily used in browsers. There's even a browser-based debugger available at http://jwt.io/. > But I'm +1 for JWT support in anyway. It has own good use cases. Great :) > P.S. Basically, CouchDB cookies are JWTs, except that payload isn't > JSON, but binary Erlang term. Yeah, they're quite similar to HS256 JWTs :) One limitation with cookies that I've recently been facing is that you can't rely on them as soon as requests to CouchDB are cross-origin, as browsers often don't accept third-party cookies. This could be addressed by including a JWT in the response to requests against the /_session endpoint, which then could be used for authentication instead of a cookie.
signature.asc
Description: OpenPGP digital signature
