What pattern do you secure your APIs with and why?
I see JWT and Oauth2 being similar in nature, you have a few secret elements that produce hash and protection via some sort of token expiry.
Strengths of JWT:
- Simple logic client side, use the Auth0 libraries and even if they implement poorly and don’t cache its no skin off the gateways back .
- Client gets to prep their own exp timeout in the signed JWT, I dislike this because a dumb client could start passing tokens valid for say a year or ten years. I suppose you could add extra logic kong side to make sure jwt’s are not set to expire that far out and reject them but that just seems non-elegant.
Strengths of OAuth2:
- Timeout is set in the gateway config logic for tokens being issued.
Weaknesses of OAuth2:
- Added network time calling an endpoint to generate the token.
- Clients that implement Oauth2 poorly will decide to generate a token every request, this will rek Kong because Kong then stores every token in the db and then Kong’s cache has to cache all these stupid tokens.
I thought of one idea where I actually create jwt auth ontop of our “global” oauth2 token endpoint our gateways have to implement rate limiting, but that also feels a bit excessive to force clients to do that to use oauth2 at that point haha.
In my mind JWT wins out due to its simplicity and I feel like on the Kong side it simply is cleaner because Kong is not storing each of those jwt tokens, it simply validates the JWT’s recieved based on the stored secrets.
Kong dev’s thoughts? Community thoughts? I am just curious others rational when thinking about the two methods.