A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.
Questions tagged [jwt]
385 questions
0
votes
0 answers
Potential problems not verifying the JWT signature if wrapped in another JWT depending on HTTPS
Say that we have an authentication system that generates JWT to authenticate users to other systems. This JWT contains an inner token that can be made by multiple IDP's. The signature of this JWT is always verified before it is used to authenticate.…
snorberhuis
- 129
- 5
0
votes
3 answers
Can I rely on the CSRF cookie to check if a user is authenticated on the client-side?
I have a website that runs on example.com. The website makes AJAX calls to my backend API which sits at api.example.com.
I employ a double-submit verification strategy.
The backend has protected endpoints which check the JWT token with each…
turnip
- 785
- 1
- 6
- 9
0
votes
1 answer
Why do we need token authentication?
If I'm creating an authorization service for my application, why can't I just hash the password and save the the username and hashed password in my User table? Why should I use a token authentication service like JWT? I don't think I'm right but I…
JayRuby
- 1
0
votes
2 answers
Are JWT's the way to go in my situation?
I am working on a personal project for learning reasons, and have come to the point of authenticating and authorizing users. I would like to keep the project as stateless as possible, to make sure it can run on either 1 or 100 machines without much…
yesman
- 282
- 2
- 8
0
votes
1 answer
How to authorize access to a resource when requested with CORS and validate the origin?
I'll try to make the explanation simple and to the point (keyword try). And if that's not sufficient, then maybe I can expand on the question.
Imagine two sites: resources.example.com and www.example.com. I only have direct control over…
user3621633
- 123
- 1
- 5
0
votes
3 answers
Why is passing a token for each API request more secure than passing a username and secret for each API request?
I guess this could also be phrased as JWT vs. Basic Auth, similar idea?
Passing a token for each API request seems to be the more common and recommended approach, and I have the gut feeling that it just "feels better and safer", but I am not sure…
atkayla
- 111
- 3
0
votes
1 answer
Security issues with using JWT + cookies for session authentication?
Trying to get my head around not using traditional $_SESSIONS to keep user logged-in across pages. Are there security issues with storing JWT in cookies to authenticate a user session?
Here's a bare example of what I'm trying to do:
config.php
$key…
IMB
- 2,888
- 6
- 28
- 42
0
votes
0 answers
Share generated private/public pair among instances of same application
I've been working on a login system which works with JWT. Nothing fancy, you send a valid pair user+password and then you get a signed token to identify yourself on further requests. It is build on Java. For signing the tokens, the application…
coya
- 1
- 2
0
votes
1 answer
Json Web Tokens with anonymous login
I have inherited an app that allows users to buy a gift card, and then see the gift card details after they have bought it. There are 4 main API calls - one to buy the gift card, one to get gift card details, one to attach a message to the gift…
Mark
- 181
- 1
- 10
0
votes
2 answers
Signing webhooks with asymmetric keys
I want to sign webhooks from my web service with a JSON Web Signature (part of JWT standard), ideally using asymmetric keys (so, using RSA or elliptic curve cryptography).
What is the recommended or standard way to publish my public key? Is there a…
Shruggie
- 229
- 1
- 10
0
votes
1 answer
Why does the JWT Wordpress plugin recommend storing the token in a cookie/localstorage?
Reading about JWT I've come with a very interesting topic, which is the jwt tokens vulnerability if they're not properly secured when using with wordpress.
So, the thing is that storing the token in a cookie would make it vulnerable to XSS or CSRF…
alex55132
- 23
- 4
0
votes
1 answer
Securing protected routes/pages with JWT
Let's imagine I have a website with a React front-end that renders two pages, one is "View Data" and the other is a welcome page with a login form.
Scenario: You log in and the server accepts it and you get a JWT. When you click on "View Data" the…
Geth V
- 1
0
votes
1 answer
MQTT without TLS - prevent publish messages from unauthenticated devices
I have an use case where I'm not able to use MQTTS/TLS due to constraint on devices.
Our plan is to perform authentication during MQTT CONNECT, passing a JWT token as a password. If I understand correctly MQTT keep a TCP connection open for all…
Davide Icardi
- 33
- 8
0
votes
1 answer
Hiding HMAC-SHA256 in source code and configuration file
Would it make sense or provide an advantage of sorts to break a HMAC-SHA256 secret key into two components and hide one component in an applicable server side configuration file and the other component in (closed source, server side) compiled…
dFrancisco
- 2,691
- 1
- 13
- 26
0
votes
2 answers
JWT authentication or cookies?
I am currently creating a login system for my website. To secure the login service, should I use JSON Web Tokens and HTML5 storage, or should I use use the older way of using cookies? Are any of theses options secure or is there a better way of…
iProgram
- 1,187
- 3
- 9
- 15