Update: JSON Web Token Cheat Sheet for Java #1176
Comments
chalbersma
added
ACK_WAITING
|
I would love to see this made generic. As you said, JWTs are used in many languages. |
|
If you ignore the code examples, most of this CS is already generic, so are you (@chalbersma) wanting a CS that has examples with examples of other programming languages such as Python, NodeJS, etc.? That would be unwieldy if all crammed into a single CS, but probably doable if we want multiple ones per language. If that is done, then the contents of this CS should be refactored into a language-neutral one that once discusses JWT (both things to do and things to avoid) in a common JWT cheat sheet and this one for Java should be refactored to take advantage of the common one. Either that or just write all the examples in some suitable pseudo-code. I just don't think doing this correctly would be trivial. Sure, someone could copy the "JSON Web Token Cheat Sheet for Java" and only change the examples to (say) Python, but that doesn't scale well since if some common JWT advise needs to be revised (which seems inevitable in the long term), then it needs to get updated in multiple places. So the bottom line here I think is to proceed with caution here and don't underestimate the effort involved. Just my $.02. |
|
I think it makes more sense to just maintain a generic one, using Java or pseudo-code or whatever language. I don't think it's necessary or worthwhile to keep separate cheat sheets for different languages or to have multiple language code samples. |
|
Per @szh -
I agree. I think removing the "for Java" will go a long way to set expectations. Doing that and just explaining at the beginning that Java was just selected as the language to illustrate examples might be all that is needed. |
|
Agreed +1
|
szh
added
ACK_OBTAINED
|
Great, seems like we agree on a path forward. @chalbersma do you want to spearhead this effort and submit a PR for it? |
|
Oof, I was hoping that just suggesting it would make someone with more time take it over. Additionally part of the reason I was looking at the guide in the first place is that I'm not certain that I actually have the expertise to write the guide. In theory, I know what I'd want to see for generic examples (at least in Python). But it's likely that I would make some legitimate errors. I'll see what I can come up with though. |
|
@chalbersma - I don't think what we are proposing requires a lot of technical depth, but just an investment on some of your time. One or 2 of us will review it so you don't need to be an expert in this specific case because I think the changes will be minor as per recommended in #1176 (comment). |
|
I think this is a really good idea, how can I help support this? |
|
@jmanico I got some Friday freetime and made a super rough draft. Would love some feedback (or even a pull request or two). |
|
I’m at defcon, give me a few days, please :)
|
|
Love the way the multi-language code example looks. Pretty sweet. Didn't even know you could do that in Markdown. |
Oh ya the pymdown extensions essentially give you most of the nice features from sphinx in markdown if you want them. |
|
Not 100% sure where this proposal is at, but, I noticed there is still a "Help Wanted" tag. If assistance is still needed, I could help. I have experience with JWT security and multiple programming languages. |
By all means, check out the draft and let us know what you think! Its listed above :) |
What is missing or needs to be updated?
How difficult would it be to make this multi-language? JWT's have sort of become a web standard as an authentication/authorization primitive. It would be nice to have the common operations (parsing, validating,
best practices etc...) spelled out in various languages (like
python,nodejsetc...).How should this be resolved?
Either the creation of a JSON Web Token Cheat Sheet for or generalizing the Java cheat sheet. That might be something I could contribute to. But I'm not necessarily a JWT expert.
The text was updated successfully, but these errors were encountered: