Alternatives to JSON Web Tokens (JWT)

TL;DR — A look at PASETO, Branca and Macaroons

Back in around November of 2018, I gave a talk at London Gophers Meetup @ River Island about alternatives to JWT tokens.

If you’re in a hurry or want a TL;DR/DW, jump straight to the alternatives or read on if you want to read my motivation for doing the talk.

You can see the video and slides below: (note requires JavaScript):

Slides

Video (10 mins)


Motivation

The gist of why I did this talk is the fact that on Reddit, Medium and especially on HN, I see the following discussion on JWT’s:

A: Don't use JWT.
B: What are some alternatives to JWT?

Pretty much the discussion diverges into an array of setups of how to handle JWT situations such as token revocation, blacklisting tokens, etc for which I have little time for reading threads of different JWT setups. You only have to look at few of the comments on these to get my point.

From what I see, the reasons JWTs are frowned upon is that:

That being said, I am sure there are many more reasons but those two are the most common ones.

Alternatives?

The alternatives shown in my lightning talk were:

These three alternatives have one shared advantage over JWT, they don’t allow the user to change the algorithm and use best practices of modern cryptography. You can also see implementations of these alternatives in your favourite language.

The individual advantages of each alternative token are on the last page of my slide (note requires JavaScript):

Who’s using them?

Good question! this section will be continuously updated until I lose count, but here are a few:


Acknowledgements

I would like to thank Mika Tuupola, Scott Arciszewski and Paul Jolly for checking over my slides and the London Gophers Meetup organisers + River Island for having me.

© 2020 Wesley Hill

CC-BY-SA

JSON

ATOM

Privacy