Hi everyone, what is the reason for using stateful...
# generals
square-family-68634
10/01/2021, 7:26 AMHi everyone, what is the reason for using stateful session/cookie and supporting stateless access tokens (JWT)?
Is there a way I can make the solution works with stateless solution?
s
steep-lamp-91158
10/01/2021, 8:45 AM
do you mean in kratos?
s
square-family-68634
10/01/2021, 2:11 PMHi @steep-lamp-91158,
I don't understand your question.
Given Hydra, Kratos & Authkeeper (AK) are installed. I would like to auth the user using AK (proxy or forward auth).
When OAuth is used, AK validate the request using the JWKS endpoint of Hydta.
On the other hand, when Kratos is used, the user is given a session/cookie, in that case, AK need to communicate with Kratos to authenticate the request.
I would like that my clients (browser) will use JWT instead of session/cookie which will allow AK to authenticate the request in a similar manner to Hydra/OAuth flow.
s
steep-lamp-91158
10/01/2021, 3:01 PM
With JWTs you have effectively no way of revoking them, as you can only wait for them to expire. This was not a secure option for us to implement logout.
s
square-family-68634
10/02/2021, 12:07 PMGood point, but you can blacklist JWT if needed
square-family-68634
10/02/2021, 12:10 PM@steep-lamp-91158 @magnificent-energy-493,
1. internal/server-to-server communication, can I use ORY for authenticating such request?
I would I assume that there is a way to register a trusted OAuth client.
Trusted client should not go through the consent flow & are limited by scopes only.
2. outgoing/server-to-server communication. Can my ecosystem communicate with external/3rd-party services using ORY?
I would like to communicate with 3rd-party services with JWT.
The 3rd part in turn, can validate the JWT using Hydra's JWKS endpoint
s
steep-lamp-91158
10/04/2021, 7:52 AM
steep-lamp-91158
10/04/2021, 7:53 AM
and also if you want to block-list JWTs, you will need to do requests the same way you do sessions, so what is the point there?
2 Views