JWT for authentication and authorization and protecting an API. It's feasible / secure?

Question

I'm developing a web application which manages security and hygiene at work so the clients can access information about medical stuff, like exams, reports, accidents, ability to work, things like that.

Info like this is rather sensitive, so I really want to make sure that every piece of info is secure in the best way possible. The web application is developed in Angular 5 and the API is developed in Asp.Net Core 2.0, I'm using JWT to authenticate and authorize a user.

So far in my research, I have found many articles discouraging the use of JWT and others stating that JWT has nothing wrong if used correctly.

Pros

REST API authentication with JWT and CSRF protection for SPA
REST Security Cheat-Sheet ( Not really a 'pro', but helps to implement)

Cons

Why JWTS suck as session tokens

Things to use instead of JWT

I'm storing the token in a cookie (I know about the XSS and CSRF) and right now I've done this:

Strong password mechanism ( hash and salt with a strong algorithm )
JWT blacklist table in the DB ( to revoke tokens )
The data inside the token is hashed (even if the token is stolen, they have no info from token itself )

And will do in the future :

API accepting requests only from the client URL ( not 'AllowAnyOrigin' )

So, I'm on the right path? Should I stop right now? I've done something wrong? Any help is appreciated.

What is the benefit over just using a normal session cookie? — AndrolGenhald, Jul 02 '18 at 18:11
The only benefit I find is the fact that I can pass some (none-sensitive) information about the user, like the ID — LuisMorais, Jul 03 '18 at 08:32

score 1 · Accepted Answer · answered Jul 03 '18 at 09:29

Only use JWTs if you are going to use the unique features of JWTs. Use normal session cookies if you just have normal sessions.

JWTs are signed tokens. This is useful if you authenticate at one server and use the JWT at another service. Then signed tokens provide some benefit, since the two servers do not have to share any user data. If you have the authentication server separated from the service that uses the authentication, JWTs can be a solution.

If you are just building a web app, where session data can be accessed throughout the app, there is no real benefit to JWTs, and session cookies work better. ASP.NET has excellent support for sessions with cookies, and I would think it would make the software a bit simpler if you went with that.

Humm, ok I'll check on that, then... Many thanks! :) – LuisMorais Jul 03 '18 at 11:00 — LuisMorais, Jul 03 '18 at 11:00

JWT for authentication and authorization and protecting an API. It's feasible / secure?

1 Answers1