Episode 095: 3‐13‐2025 Are JWTs bad for authz? - GluuFederation/identerati-office-hours GitHub Wiki

Title: Are JWTs bad for authz?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Eli Nesterov, Co-founder and CTO of SPIRL

Channels

• Linkedin Event
• Youtube Video

Description

Relying on data in token claims for authorization is a slippery slope that can lead to unexpected failures and painful debugging sessions. JWT bloat—caused by excessive claims—can run into header size limitations, triggering intermittent outages due to constraints on proxies, load balancers, and firewalls. Beyond sheer size, data encoding schemes introduce additional complexity, especially when dealing with binary-encoded claim values. Dynamic claims in tokens can also risk inconsistency if not handled properly. And then there's the issue of revocation. In this episode, we’ll break down the hidden dangers of overloading JWTs, consider real-world horror stories, and discuss best practices for keeping your tokens lean or when you should consider reference tokens instead.

Homework

• Cerbos Blog: The Case Against Token-Based Authorization
• Permit.IO Blog: JWTs Aren’t Made for Authorization

Takeaways

• ⚡ Remember... SPIFFIE supports multiple credential formats, including both X.509 and JWT.

• ⚡ Be extra careful with JWT size if you are putting the token in the Authorization header of an HTTP request. Very weird intermittant problems may ensue if the JWT is too big for some infrastructure.

• ⚡ Revocation has no ideal solution. Short token lifetime is probably the easiest approach to limiting the blast radius of a stolen token. But where revocation is needed, you need both the issuer and consumers of tokens to work together.

• ⚡ Workload registration is not specified in SPIFFIE, so implementations vary in how they handle issuing a SPIFFIE id to the workload. Workloads frequently provide an attestation about their properties, which a SPIFFIE server may consider when issuing a credential.

• ⚡ You can use the semantics of the SPIFFIE identifier to convey information, although it's somewhat limited. Adding add'l claims to X.509 is trickier then with JWT.

• ⚡ Net-net... it's not that JWTs are bad for authorization. But like any other technilogy, your JWT approach needs proper design, testing and governance.

Livestream Audio Archive

here