logoalt Hacker News

Lazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works

13 pointsby aaronpinayesterday at 11:37 AM10 commentsview on HN

Comments

leguleretoday at 7:23 PM

Much simpler: just store session ids in Redis.

I skimmed over the previous articles in this blog and they don't seem to mention the one use case JWTs were made for: having a separate authentication server from the application server. Most developers will only need this for integrating into corporations with single sign in or social logins (sign in with Facebook/google/apple...). There you won't write the authentication server but integrate with them. Session Ids are dead simple to get right securely. Just use them.

time4teatoday at 5:09 PM

The key material is in redis? Seems odd. Should be in fips 140 hsm? Else key can be stolen easy.

Maybe missed something.

show 2 replies