« BackUsing JWT to establish a trusted context for Row Level Securityvondra.meSubmitted by JeanSebTr 4 days ago
  • Apaec 18 minutes ago

    PostgREST has been doing this for a long time https://docs.postgrest.org/en/v13/references/auth.html#jwt-b...

    • themafia 4 hours ago

      We do something similar except we use an existing OAuth flow and simply add custom attributes to the authorization token. That authorization token is then sent along with requests to various services and these attributes are picked out and then used to apply policies or output filtering as appropriate.

      As a suggestion I would look to name the properties of your current token in such a way where they could be compatible with the embedded case.

      • some_furry 3 hours ago

        https://github.com/tvondra/jwt_context/blob/10be23c0651f1099...

        https://github.com/tvondra/jwt_context/blob/10be23c0651f1099...

        https://github.com/tvondra/jwt_context/blob/10be23c0651f1099...

        Oh look, the typical setup for a classical JWT vulnerability.

        Prior art:

        https://auth0.com/blog/critical-vulnerabilities-in-json-web-...

        https://github.com/firebase/php-jwt/issues/351

        You should really consider not using JWT for new designs that don't a priori need to interop with JWT.

        PASETO is less likely to create sadness: https://paseto.io

        • qudat 3 hours ago

          Aside: this was very informational for me, thanks!

          • twosdai 3 hours ago

            > You should really consider not using JWT for new designs that don't a priori need to interop with JWT.

            If you're trying to make the argument that because they can be insecure, we should not use JWTs. Thats not really a great argument for most people. JWTs provide a lot of value, and the idea of having some secure, validatable, and no network required check for authentication, or transporting information. Is too valuable for businesses. So we all use JWTs, they are a decent standard.

            At the very least you should propose an alternative that people use besides JWTs if you're going to vaugly hand wave about the scary security issues of 2021 firebase, and 2020 Npm packages reported by Auth0.

            • MuteXR 2 hours ago

              The JWT standard is known to be full of nonsense. Acting like this is some non-issue is hilariously disconnected from reality.

              • some_furry 3 hours ago

                > At the very least you should propose an alternative that people use besides JWTs

                PASETO: https://paseto.io

                I thought this was common knowledge on HN?

                > if you're going to vaugly hand wave about the scary security issues of 2021 firebase, and 2020 Npm packages reported by Auth0.

                These are issues caused by the JWT standard.

                https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...

                • big_youth 2 hours ago

                  > I thought this was common knowledge on HN?

                  Just as an aside but I would never say this, this is why people hate security teams. I'm a security 'expert' with 15+ years in the industry including speaking at DEFCON, Blackhat, and all that.

                  I had no idea about these issues and have never heard of PASETO until now! I'm actually a few months in into my startup and we are using JWT for a lot of stuff so this is very relevant. Thanks for sharing! But if I can't keep up with everything then devs who don't do this all day simply cannot.

                  • some_furry 2 hours ago

                    Okay fair. I just see it come up in every thread about JWT security, so I felt like I would be Captain Obvious for calling it out.