I am still working my mind through the JWT chat example.
One issue I am grappling with is what to use when… so I thought to ask if anyone has any insights about how to deal with the trade off.
On one side you can keep everything private but then you need to enroll each identity on each device
However, on the other you can use an external JWT via an Identity Provider… but then it becomes the weak link if compromised.
Any tips? suggestions? insights?
I think I get this now… as you still need to create the identities in the controller… it’s just that you don’t enrol them…
This is the point of the external signer… which uses the IdP to facilitate the identification.
Not 100% sure yet how a server identity would be used in an IdP… as it does not have a password to authenticate itself… whereas… a client would.
Is this correct? I look forward to your further comments… especially how a server identity would engage with an IdP… I find it totally…
The main question I am trying to answer is what is best when… as its not really clear right now.
I don’t think there’s any direct answers here but you’re spot on with this assessment. It’s really up to the implementor to decide when the convenience outweighs the risk and how much risk one wants to tolerate.