Using session instead of JWT tokens

After going through articles like Why JWTs Suck as Session Tokens and other similar content on why it is bad to use JWTs, I’m convinced that a good old-fashioned server-side session management solution (like Redis) is the right choice for our use case.

Is there a guide on how to use Okta with server-side session and avoid all these unnecessary complexity associated with JWT tokens? A quick search yielded content about Okta session and application session and I’m not sure how this relate to a server-side session store like Redis.

Hi @jcortez,

The article mentioned:

When you start building your next website, just rely on your web framework’s default authentication libraries and tools, and stop trying to shove JWTs into the mix unnecessarily.

So this would be something outside of Okta, but here is a blog post demoing session management with Redis: Session Clustering for OAuth 2.0 Applications | Okta Developer.

But if any of your use cases fall under what was mentioned/listed here, e.g., machine-to-machine or SSO authentication, Okta can help with minting JWTs for these scenarios: Implement authorization by grant type | Okta Developer.

Also here is an example library/middleware that handles SSO with an IdP and then creates sessions in your application once the user is authenticated through the IdP - passport - npm. And although an Okta session has been established, it’s separate from your application session.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.