12
AlgoRythm
352d

I feel like I beat "the man"

Dunno if any of you guys have picked up on this, but the Microsoft Docs (for asp.net) are basically one big fucking jumbotron advertisement for IdentityServer

The very same IdentityServer who dropped their free, open-source project and turned into an -aaS

It really seems like MS is frothing at the fucking mouth to have you use IdentityServer and offers no real alternatives whatsoever besides something like Facebook or Twitter login.

But I did my studies

Read my articles

And implemented proper Jwt tokens with rolling refresh tokens.

Simpler, more efficient, and compromises nothing. And I didn't pass my money off to some company to do it for me.

Fuck you, Microsoft, and the IdentityHorse you were paid to ride in on.

Comments
  • 1
    JWTs are cool, I think every app that doesn't use a session cookie should have RTR. It's just another algorithm, it can be automated perfectly fine. I made an attempt to generalize the flow, I'm not entirely happy with the result but it seems to get shit done.

    https://github.com/lbfalvy/...
  • 0
    @lorentz looks complicated :0 my design just gives you a new refresh token every time you use it to request a new access / jwt token.

    Access tokens expire after 15 minutes and refresh tokens after a week.

    Refresh tokens are HttpOnly cookies
  • 0
    @AlgoRythm That is only an abstraction of the client flow, and it had a lot of odd design constraints:
    - any number of pages from 1 to 100 had to share a token pair without central coordination while avoiding thundering herd scenarios
    - the token had to be kept alive without user interaction
    - token expiry had to be detected and an event fired without polling. This means that the access token had to be kept alive as long as there was a consumer
    - the storage abstraction had to be async-friendly because web extensions' content scripts only have access to an async version of localstorage
  • 1
    The server side is two simple endpoints and a two column DB table with no associations.
  • 0
    Unfortunately, I wrote it before I started learning about distributed computing so I suspect the semaphore recommended in the readme doesn't actually do anything. I couldn't manage to come up with a test case that fails so I'm assuming it's fine, but it looks simpler than the canonical solutions for this type of problem.
  • 0
    openiddict
  • 1
    Well, I guess you could say you've beaten IdentityServer at its own game...or should we say, beaten "IdentityHorse" to the finish line? :))
Add Comment