Why own implementation jwt? #4
Comments
|
We didn't use Identity Server or other similar solution, simply, because we wanted to show the end users how the JWT works under the hood and that it could be easily implemented. Our code uses well-tested system libraries, so, there's no real threat or bugs AFAIK. The password is being hashed using one way PBKDF2 etc. - so basically, it's almost impossible to do a brute force if your password is strong enough. Our code doesn't save a password in any logs. IdentityServer is a great solution, and it might be a part of the next release of ASP.NET Core, but, we didn't want the programmers who explore the code, to get familiar with another quite sophisticated library. At some point in the future, there's a chance, that we will create a new service using one of the solutions that you suggested. |
|
@spetz thanks great solution |
|
I'm happy to hear that my answer was clear enough :). |
Why not use IdentityServer or OpenIdDict? Which are most complete and tested frameworks
You use ROPC
I recently read that ROPC may have several security holes, this link addresses some of them:
https://tools.ietf.org/html/rfc6749#section-10.7
brute force, save password in client log, others ...
What is your opinion about this?
The text was updated successfully, but these errors were encountered: