Hydra's authorisation capabilities


#1

Hi

I’m about to invest time into Hydra and use it as authorisation mechanism for non human entities ( service clients using clientId/secret ) to obtain the JWT signed token.
Is Hydra capable to return a signed JWT token within the OAuth2 authorization flow?
How about capabilities of defining custom claims (JWT claims) ?

Regards Mariusz


#2

JWTs are not supported and also discouraged from being used in the wild for access tokens. You can use oathkeeper go get JWTs for internal use and still have the benefits from opaque tokens outside of your infrastructure


#3

This is maybe far beyond this question but why do you say JWTs are discouraged but do you have any particular documents/attack vector point this out ?


#4
  1. JWT is a wonky spec with several implementation issues (there are more, you’ll find them on google) that had severe impact on almost all JWT SDKs
  2. JWTs can not be revoked / blacklisted without a database lookup, defeating the purpose of JWTs
  3. Access tokens should be opaque, ie the client should not be able to introspect the payload. Typically because devs tend to overload them with internal logic like roles