A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.
Questions tagged [jwt]
385 questions
10
votes
1 answer
Why refresh tokens are used
Reading about JWT I see it is common practice to include a refresh token along with the short lived token. So commonly it seems you have a short lived token which lasts for a short time such as 15 minutes, and a refresh token which renews this token…
![](../../users/profiles/78210.webp)
user2924127
- 877
- 1
- 8
- 17
9
votes
3 answers
Usefulness of token sidejacking prevention mentioned by OWASP JWT Cheat Sheet
I was just reading through the "Token sidejacking" of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking)
At the moment I don't understand how the recommended…
![](../../users/profiles/220365.webp)
Chris
- 91
- 2
9
votes
4 answers
Recommended asymmetric algorithms for JWT?
I'm implementing JWT authentication for a new web service and am unsure which asymmetric algorithm to choose. I've searched around and haven't found any consensus or clear recommendations. According to the PyJWT docs there are a few different…
![](../../users/profiles/161427.webp)
user3607758
- 93
- 1
- 3
9
votes
1 answer
Using the authorization code grant without using cookies?
I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal:
OAuth2
OpenID Connect
SPA / Mobile Client
JWT
Solution that has banking level security…
![](../../users/profiles/160653.webp)
Ole
- 529
- 5
- 10
9
votes
2 answers
RSA JWK format and parameters meaning
In RFC 7571 I found how RSA JWK should look like:
{"kty":"RSA",
"n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4
cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst
…
![](../../users/profiles/157062.webp)
Jacobian
- 207
- 1
- 3
- 13
9
votes
1 answer
one-time JWT token with JWT ID claim
I'm trying to figure out how to issue a one-time use JWT token for password reset feature and still keeping it stateless. Came across Single-Use Tokens w/ JWT which basically suggests to include hash of current password which in turn gets…
![](../../users/profiles/42081.webp)
Sam R.
- 245
- 1
- 3
- 10
9
votes
2 answers
Can XHR patching prevent XSS side-effects?
XSS & Single-Page Apps
I'm researching on web security, and have seen that token based authentication is good for CSRF prevention, distributed system architectures and processing performance.
But another problem is XSS. Not specifically talking…
![](../../users/profiles/113544.webp)
Hadrian
- 193
- 4
9
votes
1 answer
Would encrypting a signed JWT prove viable to secure claims payload?
I am working on a server-client web application, and as an authentication scheme, I am issuing base64 encoded json web tokens. Consider the following…
![](../../users/profiles/90004.webp)
scniro
- 205
- 2
- 5
8
votes
3 answers
Is this password-less auth flow secure?
I'd like to implement a password-less auth flow for my mobile app that only requires a user clicking a link in their email to log in. Similar to how Slack handles auth. I'll be using node and jwt for this implementation.
I think I've come up with a…
![](../../users/profiles/191566.webp)
klinore
- 131
- 5
8
votes
1 answer
JSON Web tokens claims. Where do I put a username
I am using JWT to verify Users. As a result I need to create a json web token which contains the following information: username, mycompany, and expiration date. In the JWT standard there are reserved claims such as issuer (iss). For my information…
![](../../users/profiles/78210.webp)
user2924127
- 877
- 1
- 8
- 17
7
votes
1 answer
How does a JWT refresh token improve security?
I've recently learned about JWT tokens, but I don't understand why I need them. Considering:
HTTPS is enabled, thus the access token can't be stolen along the way. it's encrypted.
If at anytime, the hacker finds a way to read incoming JSON…
![](../../users/profiles/237151.webp)
F.B
- 73
- 3
7
votes
2 answers
What is the most secure way to store cross subdomain cookies
I am working for a company we will call "Company x". This company has a domain companyx.com. They have a cloud platform that manages things like SSL, but in order to do this you are required to use that domain. There are 3 apps app1, app2 and app 3…
![](../../users/profiles/211466.webp)
Jackie
- 171
- 1
- 1
- 5
7
votes
2 answers
Is it safe to use a stateless authorization mechanism where the clear password is stored on the keychain?
Is it safe to use the following stateless authorization mechanism between a client (iOS & Android) and server?
Sign up
The client provides an email and password and saves the clear password on the Keychain of iOS and using some alternative for…
![](../../users/profiles/177567.webp)
Ignasi
- 123
- 5
7
votes
4 answers
JWT encoding using HMAC with asymmetric key as secret
I'm currently exploiting the vulnerability discussed here
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
Where the algorithm type in JWT can be changed from RSA to HMAC and signing the token with a given…
![](../../users/profiles/179614.webp)
Gowtham
- 983
- 6
- 13
7
votes
2 answers
JWT or public-private keys for service to service API calls
I'm looking into setting up authentication between two application services. Service A is going to call service B, and I want service B to only accept (http) calls from service A, nowhere else.
I know how JWT authentication works and could implement…
![](../../users/profiles/55655.webp)
Peter
- 185
- 6