0

I am working on a personal project for learning reasons, and have come to the point of authenticating and authorizing users. I would like to keep the project as stateless as possible, to make sure it can run on either 1 or 100 machines without much effort.

Here is my current plan of action for my users on this microservice architecture:

  1. A user goes to an MVC application that serves a game. They are not logged in, so are redirected to a login page.

  2. Upon successful login, the MVC app sets a JWT in the user's cookies. The JWT only contains the user id and their claims (user, admin, etc). The JWT logic is managed by IdentityServer4.

  3. The user is logged in to the MVC app and can play a game. The user posts whatever move they want to make, and the ID of the game they are playing.

  4. The MVC app uses the user id and claim in the JWT to retrieve the game being played from a Redis cache. The move the user posted is processed. The resulting game state is stored in Redis.

  5. User receives the current game state from the server. Repeat from step 3.

My question: are JWT's a good use case for the above scenario? Or are there any downsides I may have missed?

yesman
  • 282
  • 2
  • 8

2 Answers2

1

JWTs are meant for when your login process is separated from your application, possibly even offered by another company. OpenID Connect is a single-sign on solution that uses JWTs.

However, in your situation, everything seems to be under your control. It currently runs on one server, but even if it needs to scale to 100 servers all those servers would have the same role and you would still control them.

I would advice using sessions. Sessions are well supported by all frameworks. They are easy to reason about, unlike JWTs which can fail in unexpected ways. Sessions are also easy to scale to 100 servers, so that is not an advantage unique to JWTs.

Sjoerd
  • 28,707
  • 12
  • 74
  • 102
  • I'm not sure what you mean by "JWTs can fail in unexpected ways"; a JWT is just a blob of signed or encrypted data, what would it mean for it to "fail"? – IMSoP Jun 18 '19 at 10:38
0

It would be safer to pass the game a reference token (opaque) over the Internet and then introspect the reference token, and pass the JWT on the internal network. The reason for this is that the browser is not that safe. If you don't care about security, then what you're doing is ok.

Mike Schwartz
  • 261
  • 2
  • 2