headless-wp-starter VS paseto

I found this online https://github.com/postlight/headless-wp-starter, I don't know why but I hate using code I don't understand

Headless-wp-starter

> At the very least you should propose an alternative that people use besides JWTs

PASETO: https://paseto.io

I thought this was common knowledge on HN?

This article uses "ES256" for the alg, GitHub use "RS256" as their alg and a very deranged few use "none".

The point here is giving the developer lots of rope to hang themselves with the JOSE standard on JWT/K/S is a sure way to implement it incorrectly and have lots of security issues.

PASETO is a much better standard to work with: https://paseto.io/

> OAuth forces the usage of JWT.

OAuth doesn't, OIDC does for the ID token[0]. OAuth, at least the inital RFCs, were released 3 years before JWT was defined. But many extensions of OAuth do require or support JWTs.

Either way, I'm just not sure the demand is there.

My employer has had an open issue for Pasteo[1] for years but hasn't seen much community support. Some other interesting comments here[2]. Looks like most of the implementations[3] are libraries rather than standalone auth servers.

0: https://openid.net/specs/openid-connect-core-1_0.html#IDToke...

1: https://github.com/fusionAuth/fusionauth-issues/issues/773

2: https://www.reddit.com/r/KeyCloak/comments/1e2h5w7/is_paseto...

3: https://paseto.io/

The Auth will signed into Token using JavaScript Object Signing Encryption (JOSE), and the new and more secure than JSON Web Token signing algorithm is PASETO. PASETO stands for Platform Agnostic Security Token. If you do not familiar with this algorithm, I really recommend you to visit this page and read the references: https://paseto.io/.

I'm hugely grateful for this article: it's the first I've seen that explains JWTs end-to-end with the technical details of how to implement and inspect them on the browser side, including storage.

I haven't needed to understand JWTs in depth, so have never spent the time to do a deep technical dive, but I'd still like to understand how they work. Every time I see a JWT article pass by, I'll jump in and find the general concepts explained but with enough technical gaps that I couldn't understand them in practical terms, especially when compared to my years of previous web-dev experience with cookies.

Also thanks to @unscaled for pointing out PASETO, which aims to fix some of the many problems with JWTs: https://paseto.io/

Paseto (Platform-Agnostic Security Tokens) has emerged as a better solution, directly addressing the shortcomings of JWT.

Might I suggest Paseto (https://paseto.io/) - it solves a lot of the headaches of JWT. Signing and encryption are two different things that require two different sets of keys, so you can't mess it up.

(Full disclosure, I've written one implementation: https://github.com/auth70/paseto-ts)

Though we'll be building a session-based authentication system, it's noteworthy that with the introduction of some concepts which will be discussed in due time, you can turn it into JWT- or, more securely and appropriately, PASETO-based authentication system.