2

I've just learnt that JWT have major drawbacks and we are overly using them. I can totally see the reasoning.

The solution would be to make a call to the DB each time, instead of using a JWT.

The problem is that I'm using Keycloak for my project - so it automatically uses JWT.

Is there any other alternative than using JWT for Keycloak?

Thanks.

Octavian Niculescu
  • 1,177
  • 1
  • 3
  • 24
  • `I can totally see the reasoning.` ... I can't. Using the session ID is fine but it is stateful, and as you mentioned requires frequent calls to a DB or maybe a cache. – Tim Biegeleisen Feb 23 '22 at 09:33
  • @TimBiegeleisen https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens - and there are many articles stating the same thing, and I kind of agree. – Octavian Niculescu Feb 23 '22 at 10:41
  • If you read that article then it's clear they suggest using session cookies. There's a similar article here: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ – Juraj Martinka Feb 25 '22 at 08:30
  • Alternative: https://openfga.dev/. Disclaimer: I help build this product – Maria Ines Parnisari Jul 29 '23 at 19:52

1 Answers1

1

Assuming you have the option of using something other than Keycloak a popular alternative to JWT is PASETO. With PASETO the client can no longer tinker with the authentication algorithm and the payload is encrypted not just encoded as in JWT.

Have a look at the following 2 links

https://paseto.io/

https://developer.okta.com/blog/2019/10/17/a-thorough-introduction-to-paseto

pcodex
  • 1,812
  • 15
  • 16