soygul
commented
9 years ago - Plain AES with a long private pass seems ok but weak against dictionary attacks
- https://github.com/dgrijalva/jwt-go (but regular hashing algorithms can be brute forced a lot quicker than AES, and jwt standard implementations have security issues occasionally as it has many more moving parts [header, body, signature, etc.] than a regular encrypt-then-mac approach)
- obvious research on token generation algos...
- client certs might be the safest option