Newbie Question: What is a secure and accepted way for authentication and authorisation of REST API endpoint for mobile and SPA's? A google search usually yields JWT but from what I know about JWT, it's complex and doesn't support revocation of tokens easily.
Ask HN: What is the best way to add authentication to REST API (for mobile)? | Better HN
There are pros and cons of JWT but if you are OK with it, it is not complex if you use a library. JWT purists want everything on the token (no database) but if you are OK with using a database, just store the token and delete it to revoke. When authenticating, add a database query (it's not that bad) in addition to the verification of the token
The humble session cookie is what I've been using all these years, but now suddenly everyone is saying "JWT". Any advice on the pros and cons of JWT vs session cookies?
JWT is a buzzword. Some people are attracted to changing shit for the sake of it, and then encouraging others to use the new thing too, to validate their own use, and feel like they're 'ahead of the curve' on trendy tech.
To clarify for JWT invalidation, you don’t have to store the whole token. Instead just store the jti or some other identifying field that can be checked.
I agree, and I was thinking of using go-jwt but given the bad rap it has received here https://news.ycombinator.com/item?id=13865459 and here https://news.ycombinator.com/item?id=17877332, I'm having second thoughts as I don't want to mess things up. Also, I don't really need a stateless token just something that will allow for authentication from my server, Google OAuth and Facebook OAuth.
