Ask HN: What is the best way to add authentication to REST API (for mobile)?
Newbie Question: What is a secure and accepted way for authentication and authorisation of REST API endpoint for mobile and SPA's? A google search usually yields JWT but from what I know about JWT, it's complex and doesn't support revocation of tokens easily.
22 comments
[ 3.2 ms ] story [ 72.1 ms ] threadKeycloak is nice but requires some work.
Can you elaborate on this?
For JWT to support revocation, you must store them in the database and delete them on logout or when they expire.
To avoid replay attacks, the backend adds the token's nonce to a scratchpad memory when the token is used in order to invalidate the token even if the expiration timestamp isn't reached.
If a JWT implementation is implemented to ignore replay attacks or even token expiration, the jti can still be used to invalidate tokens.
https://docs.aws.amazon.com/cognito/latest/developerguide/wh...
Rather than rehashing it all myself, I'd suggest reading http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-fo... and https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-...
Quick and easy: Look into Firebase.
Powerful/extensible: Django + DRF