Highest Voted 'jwt' Questions - IT Security Stack Exchange

0

votes

1 answer

Using Refresh Token inside of Access Token without HTTPS

I previously read that Access Token must be sent with every request to the API but Refresh Token must be sent ONLY when the Access Token expires. I'm trying to use a similar model to the conventional model, where the Access Token is JWT, but the…

asked Mar 28 '20 at 17:54

user-2147482509

3
1

0

votes

1 answer

Authentication for server to server api

I want to design an api which an organization is going to use to connect with my server. For a client-server application, a simple jwt-based authentication is done by verifying user credential and generating a token for them. My question is what…

authentication oauth api jwt

asked Mar 10 '20 at 02:58

Ju Bc

103
2

0

votes

1 answer

JWT with a single audience claim accessing a resource server with multiple configured audience values

When a JWT id_token with a single audience is presented to a resource server which has multiple configured audience values, should the resource server reject the validity of the token on the basis of the mismatch in audiences (ie JWT has one,…

jwt oauth2

asked Feb 23 '20 at 07:30

Moo

542
3
6

0

votes

3 answers

Admin privileges depending on JWT body

From a security perspective is it ok to store the permissions of a user inside the body of the Json Web Token? For example a jwt body like this: { "username": "lukas", "isAdmin": true } The integrity of the body is verified by the signature…

javascript jwt token

asked Feb 19 '20 at 19:25

TheProgrammer

3
1

0

votes

4 answers

Is a security flaw created in extending TLS to bind and propagage a client-side JWT?

Apart from the fact that TLS doesn't have "connection context" variables, is there any reason why this couldn't be technically built into the standard for something like JWT? Why it is needed When a browser sends multiple requests to the same API…

tls jwt

asked Feb 02 '20 at 14:05

Kind Contributor

461
2
7

0

votes

2 answers

jwt symmetric signature security risks (from client side)

I am currently implementing an iOS app, which integrates with a cloud hosted .net backend system in azure, which. The api login endpoint takes user/pass -> replies with an signed only HS256 jwt token. All further calls to the endpoint require an…

account-security jwt client-side

asked Jan 23 '20 at 14:21

RicardoDuarte

105
2

0

votes

2 answers

JWT token authorize and authenticate

I have created a service that takes login credentials and gives back a JWT. Now the JWT is created with a secret key from this service. I would like to use this token to get access from other micro-services, however on the micro-services, I would…

jwt

asked Jan 22 '20 at 21:54

SecNoob

3
1

0

votes

1 answer

oidc authentication webapp REST api

So I have looked at the following client library, implementing the OpenID Connect spec: https://github.com/IdentityModel/oidc-client-js It works as expected, and I can now allow users to login with Google, great. This library specifically assumes…

authentication jwt oauth2 openid-connect openid

asked Dec 19 '19 at 14:56

Trace

327
3
14

0

votes

1 answer

How can user-less servers be authenticated without sharing secret data?

Background: This is the architecture of the platform I'm working on: The API has several secured endpoints for accessing the database. Users login on the Front End with their credentials, and if they're valid the API returns a JSON Web Token (JWT).…

authentication jwt asymmetric secret-sharing

asked Nov 20 '19 at 16:58

schil227

113
5

0

votes

2 answers

JWT vs custom encryption for REST APIs over https

For our REST API architecture, we are currently thinking over two options - Json Web Token - pros are that it is industry standard, we pass a key which adds a layer of access control and using which we can also add secondary authorisation…

rest jwt

asked Sep 11 '19 at 07:05

Yuganka Sharan

101

0

votes

1 answer

JWT: In a server-to-server request, should I sign the entire request body?

Let's set the scene with two servers: an "auth" server which provides users with authorization tokens containing claims relevant to their account a "paywall" server, which after receiving payment from a user, will send a request to the auth server…

jwt

asked Sep 08 '19 at 02:09

ChaseMoskal

101
2

0

votes

1 answer

Extract data from burp response and use in another request

I have a scenario where I need to call /api/login to get a token and then use said token in subsequent calls until it expires. Is there a way to automate the call and token extraction and then to auto add it to the next requests? I have tried making…

kali-linux jwt burp-suite ctf

asked Aug 25 '19 at 23:39

CWright

123
3

0

votes

1 answer

Validating iss and aud for internally signed JWT

I have an identity service that issues JWTs that are signed with private key. I have several resource services that consume that token to determine the claims of the user and thereby to determine the authorization scope. Naturally, the resource…

jwt openid-connect

asked Aug 09 '19 at 06:09

Sayan Pal

101
1

0

votes

0 answers

Understanding JWT and SSO

I'm having trouble understanding how to set up SSO between my app and another app we have deployed. I'm new to trying to set this kind of thing up, so I was hoping someone could explain whether I'm on the right path, both from a standpoint of making…

csrf jwt sso

asked Aug 07 '19 at 16:10

Dan

101
1

0

votes

1 answer

JSON Web Encryption (JWE): should one verify the alg and enc similarly to JWS alg whitelisting?

Use of JWS may suffer from flaws when relying on the "alg" attribute as described here: Critical vulnerabilities in JSON Web Token libraries. The advice is to verify that the signing JWS algorithm is in a list of accepted algorithms. Practically,…

encryption jwt oauth2

asked Jul 27 '19 at 15:14

Tangui

403
2
6

Questions tagged [jwt]