Many times, writing a blog post implies assimilating a big bunch of existing information and re-explaining it in the way the author finds the most understandable.
I have not invented JWTs and am not silly enough to pretend I did: I merely explored a topic I found myself drawn to!
Many authors before me have taken the time and effort to explain things as clearly as they could, and in turn I have learned from those persons. They deserve my most sincere respect. And so here I’m offering to list the posts I have read (and bookmarked!) in order to write my suite of articles on JWTs.
May these help you in your learning too!
- Session-based authentication
- Token-based authentication
- JWT-based authentication
- Stateless CSRF
- Should I go stateless?
- Reference material
On JWTs in general
These posts will give you a nice overview of stateless security and JWTs.
Introduction to JSON Web Tokens: you are beginning with JWTs and are wondering what the fuss is about? Then read this cool introduction at Auth0 to get started.
JSON Web Token (JWT) Signing Algorithms Overview: wondering what algorithm you should select to sign your tokens? Read this post to make an informed choice!
10 Things You Should Know about Tokens: once again an excellent post at Auth0 that answers many questions one might have about JWTs.
Critical vulnerability in JSON Web Encryption (JWE) – RFC 751: an excellent post describing one found vulnerability in JWE (JSON Web Encryption). Very accessible reading for a noob like me!
Refresh Tokens: When to Use Them and How They Interact with JWTs: another post on Auth0, this time discussing the topic of refresh tokens.
On implementing JWT
You got the gist of it, now it’s time to get your hands dirty. These posts explain how to add JWTs to your Spring or Spring Boot project.
Implementing JWT Authentication on Spring Boot APIs: once again, a very valuable contribution from Auth0 on how to work with JWTs on Spring Boot. I’m not working for those guys, I swear!
Stateless Authentication with Spring Security and JWT: one of the clearest posts I’ve found regarding JWTs integration in Java, by Erik Gillespie. It may be a bit outdated now, but the main concepts are laid out in a very understandable way.
Stateless Spring Security Part 2: Stateless Authentication: another excellent post coming from Robbert van Waveren on adding stateless security in a Spring Boot context.
Implementing JWT Authentication on Spring Boot APIs: while researching on JWTs for this series of posts I stumbled on this article. I almost decided to stop working on my posts: that’s as good as Bruno Krebs’ version is! Very recommended reading!
Spring Security with JWT for REST API: another clear and thorough tutorial on how to implement JWT authentication with Spring Security. This one goes one step beyond and examines authorization. It clearly has been written by someone who knows their topic, so make sure you don’t miss this one!
JSON Web Token (JWT) Cheat Sheet for Java: let’s start with the essentials; this wiki on OWASP gives you the basics of what to do and what to avoid in order to keep your identity safe.
7 Best Practices for JSON Web Tokens: great post by Neil Madden; make sure you read this one before making inconsiderate choices. Special thumbs up for his paragraphs on headless JWTs and JWT lifetimes & revocation.
Is HTML5 sessionStorage secure for temporarily storing a cryptographic key: cool answer on a Stack Exchange question on what’s the best place to store your JWT token on the browser side.
Should JWT be stored in localStorage or cookie: another question on Stack Exchange about where to store your tokens on the client side.
Where to Store your JWTs – Cookies vs HTML5 Web Storage: one more post on one of the most asked questions, which is where should that JWT token be stored. This one by Tom Abbott goes deeper and also discusses the possible attacks for grabbing that token from the browser. Good and accessible reading!
Debating JWTs and stateless security
Because not everything is perfect and white, these authors debate on whether JWTs are the way to go.
Stop using JWT for sessions: joepie91 is very critical of JWTs. Although the post is painfully harsh at times, he does make a few interesting points, making this a worthy read in spite of his tone.
Why JWTs Suck as Session Tokens: talking about tone, have a look at this post from Randall Degges. Again: try to put the harshness aside and focus on the points raised by the author. They have the merit of starting the debate on whether to go stateless or not.
Should you use JWT/JOSE: a very interesting and to-the-point critique of JWTs and JOSE (JSON Object Signing and Encryption) by Neil Madden.
And that’s that!
There’s probably three tons of other excellent articles on this topic on the web, so feel free to link to them in the comments below!
As for myself, this is where it ends. I had a great and exhausting time exploring stateless security, JWTs and how to make it all work in a Spring Boot project. If I missed something or if you want to correct me on one thing or the other, feel free to vent it out in the comments.
Until next time,