0

Say that we have an authentication system that generates JWT to authenticate users to other systems. This JWT contains an inner token that can be made by multiple IDP's. The signature of this JWT is always verified before it is used to authenticate. The JWT is only as short-lived as the inner token, but the inner token can be JWT itself.

I want to know what potential security problems there are if the inner JWT token is never verified, but instead, we depend on HTTPS security.

In the authorization code flow in OAUTH 2.0, you exchange an access token for the id token and access token of a user at an API endpoint. The next step is to validate these tokens on validity. The public keys are retrieved and used to verify the tokens to be valid. Again, from the same endpoint.

The JWT token will immediately be wrapped in a new JWT Token before they are transported outside a circle of trust. So they can not be modified.

But if those endpoints are on an HTTPS endpoint what is the added value of verifying the tokens? If there is a man-in-the-middle, the attacker also has control of the endpoint exposing the public keys.

The inner token's signature is not verified during authentication of the outer token.

snorberhuis
  • 129
  • 5
  • I am not sure what exactly are you trying to do but from what I understand you are just adding a new claim with this inner token as a value. And if the outer token is verified the value inside is secure no matter what. If you are using that inner token for verification inside your app you should reverify it when you need to otherwise it being a jwt token is unnecessary so just use a regular claim. – Filip Cordas Jul 22 '19 at 22:36
  • Also this sounds like something that should not be done in general. The owner of the token should be the client that requested the token so the life cycle should be controlled by the client that requested it. You can always send the token that is needed too the endpoint that requires it, or send multiple tokens if you need that for something. This is quite common when you want one token that can be long lived for authentication and a shot lived one for authorization. – Filip Cordas Jul 22 '19 at 22:47
  • Validating a JWT is lot more than verifying a signature. Why/what is a "a lot more"? Have a read: https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp-06 – identigral Jul 27 '19 at 23:57
  • The question is scoped to verifying a signature. – snorberhuis Jul 29 '19 at 13:48

0 Answers0