Fergus In London

The musings of a man with a keyboard and an internet connection.

Yes, you can invalidate JSON Web Tokens (JWT).

2018-04-01 6 min read Fergus
JSON Web Tokens are great: they have a well-defined schema, and are simple to implement both as a provider and an integrator. This simplicity has side effects though, and often leads to limitations. For instance; can you invalidate/revoke a token, or “log a user out”? Client side logout - i.e “ditch the token” - is not a solution; rather than actually invalidating the token, this simply loses it - often via purging it from local storage. Continue reading

OAuth 101: The stuff you actually need to know

2018-03-27 7 min read Fergus
I feel the pain of anyone working with OAuth for the first time: with an RFC (6749) of 75 pages - written in a niche vernacular of “tokens”, “grants”, and “scopes” - it can seem quite daunting when you’re first introduced to it. The good news is that if you can remember a few simple principles, it becomes quite a simple technology to work with. The even better news? Most of these principles are pretty much common sense, like number one… Continue reading