0

I have an identity service that issues JWTs that are signed with private key.

I have several resource services that consume that token to determine the claims of the user and thereby to determine the authorization scope. Naturally, the resource service also has access to the public key counterpart that can be used for signature validation.

Note that both identity and resource services are developed and managed by me. Consider that the resource service does not call any other external service with the token, and just use the token to derive the authorization scope.

As the header, and payload of JWT can easily be decoded, anyone with the access to the private key can create a token with the intended aud, and iss. In this scenario, does validation of aud, and iss brings anything additional from security perspective, though every other token validation best practices say to validate aud, and iss? Considering the private key is securely stored, isn't it enough to validate the signature of JWT alone (along with the claims of user, but that is not relevant for this discussion) in this scenario?

Sayan Pal
  • 101
  • 1

1 Answers1

0

The purpose of both security controls are different. JWT signature validation ensures that the token payload have not been modified on transport and was issued by a known sender.

The "iss" and "aud" validation ensures that token have been issued by expected Identity Provider and for expected Client. This also (with validation of "azp", "at_hash" or "c_hash") mitigates against some of the Token Substitution threads, where attacker can use token issued from another session (possessed by attacker) by simply "copy and paste".

Token Substituion threat

Bartosz Rosa
  • 337
  • 1
  • 6