https://www.ory.sh/ logo
s

square-family-68634

10/01/2021, 7:26 AM
Hi everyone, what is the reason for using stateful session/cookie and supporting stateless access tokens (JWT)? Is there a way I can make the solution works with stateless solution?
s

steep-lamp-91158

10/01/2021, 8:45 AM
do you mean in kratos?
s

square-family-68634

10/01/2021, 2:11 PM
Hi @steep-lamp-91158, I don't understand your question. Given Hydra, Kratos & Authkeeper (AK) are installed. I would like to auth the user using AK (proxy or forward auth). When OAuth is used, AK validate the request using the JWKS endpoint of Hydta. On the other hand, when Kratos is used, the user is given a session/cookie, in that case, AK need to communicate with Kratos to authenticate the request. I would like that my clients (browser) will use JWT instead of session/cookie which will allow AK to authenticate the request in a similar manner to Hydra/OAuth flow.
s

steep-lamp-91158

10/01/2021, 3:01 PM
With JWTs you have effectively no way of revoking them, as you can only wait for them to expire. This was not a secure option for us to implement logout.
s

square-family-68634

10/02/2021, 12:07 PM
Good point, but you can blacklist JWT if needed
@steep-lamp-91158 @magnificent-energy-493, 1. internal/server-to-server communication, can I use ORY for authenticating such request? I would I assume that there is a way to register a trusted OAuth client. Trusted client should not go through the consent flow & are limited by scopes only. 2. outgoing/server-to-server communication. Can my ecosystem communicate with external/3rd-party services using ORY? I would like to communicate with 3rd-party services with JWT. The 3rd part in turn, can validate the JWT using Hydra's JWKS endpoint
s

steep-lamp-91158

10/04/2021, 7:52 AM
and also if you want to block-list JWTs, you will need to do requests the same way you do sessions, so what is the point there?
2 Views