alt Hacker NewsLazy JWT Key Rotation in .NET: Redis-Powered JWKS That Just Works
Comments
hexagonsuns • today at 8:08 PM
time4tea • today at 5:09 PM
The key material is in redis? Seems odd. Should be in fips 140 hsm? Else key can be stolen easy.
Maybe missed something.
➕ show 2 replies
Much simpler: just store session ids in Redis.
I skimmed over the previous articles in this blog and they don't seem to mention the one use case JWTs were made for: having a separate authentication server from the application server. Most developers will only need this for integrating into corporations with single sign in or social logins (sign in with Facebook/google/apple...). There you won't write the authentication server but integrate with them. Session Ids are dead simple to get right securely. Just use them.