Closed JimDabell closed 3 years ago
Thanks for the links. I completely agree that JWT shouldn't be used for browser based applications. I have added to the Flask-Security documentation some notes about that - sessions are easier, more secure etc. The idea for JWT was to replace the tokens used for communicating application to application (such as in a micro-service or scripting environment) where JWTs can have all the authn and authz information embedded in it so that no DB calls are needed can be a nice performance and ease of administration win.
I will look more into Paseto - hadn't seen that before.
The problems with JWT are well documented. Paseto is a replacement for JWT without these problems.