Questions tagged [jwt]

A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.

385 questions
81
votes
7 answers

Is refreshing an expired JWT token a good strategy?

If I understand best practices, JWT usually has an expiration date that is short-lived (~ 15 minutes). So if I don't want my user to log in every 15 minutes, I should refresh my token every 15 minutes. I need to maintain a valid session for 7 days…
Guillaume Vincent
  • 873
  • 1
  • 7
  • 9
40
votes
4 answers

Can I prevent a replay attack of my signed JWTs?

I have implemented a stateless auth over HTTP in Laravel, using JWTs. I send my username/password from the frontend. Server authenticates user, sends back a signed JWT with an expiry time. I'm using the HS512 algorithm to sign with a private key…
Aditya M P
  • 642
  • 1
  • 6
  • 11
40
votes
3 answers

How does JTI prevent a JWT from being replayed?

According to the JWT RFC a JWT can optionally have a JTI which I interpret to be a unique ID for a JWT. It seems like a UUID is a good value for a JTI. The RFC claims that the JTI can be used to prevent the JWT from being replayed. Two…
ams
  • 613
  • 1
  • 5
  • 7
32
votes
1 answer

What are the differences between JSON Web Tokens, SAML and OAuth 2?

What are the differences between JSON Web Tokens, SAML and OAuth 2. Please provide some pointers and high level overview of their functions. Specifically, why would one use SAML over JSON Web Tokens or viceversa? Does one need to have OAuth 2 to use…
Jadiel de Armas
  • 421
  • 1
  • 4
  • 3
31
votes
3 answers

Should I be able to see patterns in a HS256 encoded JWT?

I was fiddling with https://jwt.io/ using this header { "alg": "HS256", "typ": "JWT" } when I realized that replacing the payload name with something repetitive like AAAAAAAAAAAAAAAAAAAA would produce a token such as…
jmacedo
  • 429
  • 4
  • 6
28
votes
5 answers

What protects a JWT from being hijacked and used to pose as the original user?

Sorry for this possibly silly question, I'm just learning about JWT so please bear with me... I read the JWT docs extensively but I don't understand what prevents a hacker from hijacking the JWT and posing as the user for which it was originally…
longboardnode
  • 405
  • 1
  • 5
  • 8
25
votes
2 answers

Is it safe to store a JWT in sessionStorage?

This article from Auth0 recommend storing the JWT locally in a local storage (or cookie). But this article from OWASP recommend not to story any sensitive data locally (not even sessionStorage) So, is it safe to store the JWT token locally or not?
Ghassan Karwchan
  • 359
  • 1
  • 3
  • 6
24
votes
4 answers

What is the difference between JWT and encrypting some json manually with AES?

What is the difference between using a JSON Web Token (JWT) and simply having an AES key and sending and receiving encrypted JSON from the client? For example, this could be sent to the client: AES256.encrypt(JSON.stringify({id: 5552, admin:…
FLUSHER
  • 373
  • 1
  • 2
  • 6
23
votes
3 answers

What is the impact of an exposed secret key for a JWT token implementation?

I am currently using JWT implementation for the authentication part of my APIs. A private key is used to sign the token generated and used to make sure it's not tampered with when it's used later for other API. My question is - What is the impact if…
darren19824
  • 341
  • 2
  • 5
21
votes
4 answers

Is a JWT usable as a CSRF token?

I'm in need of a CSRF token, for a certain application that submits a form with POST. Ideally, I'd like to not make a DB call for each submission, to avoid storage and DB traffic & latency. To this end OWASP's "CSRF Prevention Cheat Sheet"…
Thanatos
  • 1,016
  • 2
  • 10
  • 16
20
votes
2 answers

Access-control-allow-origin: * with a bearer token

When testing a single page application, I've identified that the REST endpoints return CORS headers that allow cross-domain access: access-control-allow-credentials: true access-control-allow-methods: GET, POST, DELETE,…
paj28
  • 32,736
  • 8
  • 92
  • 130
19
votes
2 answers

Stateless authentication with JWT: refresh token is not stateless

In my current architecture, my backend issues a JWT back to the (mobile) client. The primary reason to opt for a JWT is stateless authentication, i.e. the server doesn't need to store data in the session/database, which means less overhead and…
Trace
  • 327
  • 3
  • 14
19
votes
4 answers

JWT vs. Client Certificates

We have a transaction server that is connected to by different client applications. The requirement is to have a secure means of authentication for client applications to communicate with the transaction server. The two solutions being looked at are…
Nixman55
  • 323
  • 1
  • 2
  • 6
19
votes
2 answers

Where should I store OAuth2 access tokens?

I am building a REST API back-end, for a mobile application. In our design choice, we decided to let OAuth2 providers handle the login security. However, I am not sure what the best practice is for the access token, which I acquire from the OAuth2…
Daniel
  • 191
  • 1
  • 1
  • 3
18
votes
2 answers

JWT: A solution to let the token expire after a certain time of inactivity?

I have a stateless webapp that uses a JWT token. Eventually it will expire - which is OK, but I don't want it to expire while the user is working. Instead, I would like the token to expire after a certain time of inactivity. Let's say my token is…
Tim
  • 283
  • 1
  • 2
  • 5
1
2 3
25 26