Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE REQUEST]: Allow JWT as authentication method between client and server #86

Open
1 task done
iankressin opened this issue Feb 17, 2023 · 2 comments
Open
1 task done

[FEATURE REQUEST]: Allow JWT as authentication method between client and server #86

iankressin opened this issue Feb 17, 2023 · 2 comments
Assignees
@obstropolos
Labels
enhancement New feature or request

Comments

@iankressin
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Feature

According to SSX docs, the only authentication method provided between the client and the server are session cookies.

Adding JWT authentication would allow users handle the session scalability problem easily by sharing the JWT secret key between servers. Once a JWT is emitted by one server, all the other ones can verify the validity of the token, by providing the verify function with the secret key and the token passed from the client.

As SSX doesn't rely on a database to store the current nonce of a given user, maybe JWT authentication would still need the use of ssx-nonce cookie to receive the nonce and verify the signature provided by the client. After the JWT is passed by the client, the nonce cookie can be destroyed.

In my opinion, ssx-nonce cookie is still required because that's the only way to guarantee that the nonce was emitted by the same server.

A constraint implied by this method is that the whole authentication process ('/nonce', '/login') would need to happen in a single server until the server responds to the client with a JWT, since it's cookie dependent. But I don't see a reason why a authentication process would happen on two servers.

This method also allows the creation of an "authentication service" package, which would be a wrapper around express that provides the three endpoints, (nonce, login and logout) and the user would only need to pass the secret key for signing the JWT. The rest of the ecosystem would simply verify the JWT using the same secret provided by this "authentication service" package.

User Stories

As a web developer I would like to be able to implement JWT authentication using SSX because it allows to scale the server in a simpler form.
@obstropolos obstropolos self-assigned this Feb 17, 2023
@obstropolos obstropolos added the enhancement New feature or request label Feb 17, 2023
@tonievictor
Copy link

Is this issue still open? @obstropolos

@obstropolos
Copy link
Contributor

Is this issue still open? @obstropolos

Yes - @iankressin has provided a PR here that we will be reviewing shortly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@obstropolos obstropolos

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@obstropolos @iankressin @tonievictor