Understanding security mechanisms of JHipster: When to use JWT, HTTP Session or OAuth2 and OpenID Connect?
Question
I'm creating a monolithic application (something like a e-commerce or a marketplace) and I'm concerned that it is secure. I understand (broadly speaking) how JWT works, but not sure about HTTP Session or OAuth2 and OpenID Connect.
When is it advisable to use each of these options?
1 answers
solution1
1 ACCPTED 2021-04-07 09:40:10
For a monolith, I would rather recommend HTTP session over JHipster's JWT implementation because it's more secure: on client, it uses an http-only secure cookie while JWT is stored in browser's LocalStorage. If you want to scale horizontally your monolith by running multiple instances, you will have to manage session replication but Spring does it well. HTTP session is well known and described in Spring Security docs.
OAuth2 and OpenID Connect is better when you want to authenticate against other identity providers like Google, Facebook, ... It makes also more sense in the context of a microservices architecture.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.