I'm hugely grateful for this article: it's the first I've seen that explains JWTs end-to-end with the technical details of how to implement and inspect them on the browser side, <i>including storage</i>.<p>I haven't needed to understand JWTs in depth, so have never spent the time to do a deep technical dive, but I'd still like to understand how they work. Every time I see a JWT article pass by, I'll jump in and find the general concepts explained but with enough technical gaps that I couldn't understand them in practical terms, especially when compared to my years of previous web-dev experience with cookies.<p>Also thanks to @unscaled for pointing out PASETO, which aims to fix some of the many problems with JWTs: <a href="https://paseto.io/" rel="nofollow">https://paseto.io/</a>
Third party cookies are not just used for tracking - they are also any cookies set in an iframe. There are legitimate use cases for third party cookies. Chrome recently rolled out partitioned cookies which addresses part of the problem. If you are trying to authenticate via sso to then show content in an iframe, this just doesn't work, though. There is some behind the scenes trickery you might be able to use with reverse proxies but it's painful. I setup some systems using keycloak and nginx to force the iframe and idp on the same domain. You're out of luck if you're using Azure AD or any third party idp, though.
> OAuth uses access tokens, which are typically, but not limited to, JSON Web Tokens<p>This claim is misguided, but I hear it quite often. JWT is a very popular (and downright terrible[1]) format, but I there is no evidence that <i>most</i> of the tokens use JWT. It could be worse - I've heard some people claiming with confidence that OAuth <i>mandates</i> JWT.<p>The reality is that OAuth 2.0 predates JWT, and the implicit assumption was that all tokens are stateful. The access tokens in the examples are all short, and the spec strongly recommends revoking access tokens in case of access code reuse.<p>This makes JWT access tokens a non-canonical implementation of OAuth 2.0. You could add a "jti" claim (or "uti" claim in case of Microsoft) and then check for revocations in Redis, but then your only achievement was bloating up your access tokens by a factor of 20. Congratulations!<p>That's the reason why the other Big Tech companies are not using JWT for Access Tokens. It just doesn't make sense when you are at the scale where you need access tokens to be small and moderately long-lived. Users of JWT are more heavily concentrated on the smaller scale: more recent startups and enterprise customers.<p>---<p>[1] <a href="https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid" rel="nofollow">https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-ba...</a>
The first thing that pops up is<p>> We use cookies to ensure that we give you the best experience on our website.<p>> Accept | Decline<p>Do "non-essential" cookies actually make my experience any better? I always decline and haven't noticed a difference from the pre-GDPR days.
Do not take this article for granted. There are so many incorrect explanations in it. This is a really bad writeup for a security blog. I really don't know where to start ...