Highest Voted 'jwt' Questions - IT Security Stack Exchange

10

votes

1 answer

Why refresh tokens are used

Reading about JWT I see it is common practice to include a refresh token along with the short lived token. So commonly it seems you have a short lived token which lasts for a short time such as 15 minutes, and a refresh token which renews this token…

authentication token jwt

asked Mar 08 '16 at 00:12

user2924127

877
1
8
17

9

votes

3 answers

Usefulness of token sidejacking prevention mentioned by OWASP JWT Cheat Sheet

I was just reading through the "Token sidejacking" of the JWT Cheat Sheet of OWASP (https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_Cheat_Sheet_for_Java.html#token-sidejacking) At the moment I don't understand how the recommended…

oauth jwt owasp openid

asked Oct 23 '19 at 12:51

Chris

91
2

9

votes

4 answers

Recommended asymmetric algorithms for JWT?

I'm implementing JWT authentication for a new web service and am unsure which asymmetric algorithm to choose. I've searched around and haven't found any consensus or clear recommendations. According to the PyJWT docs there are a few different…

rsa asymmetric jwt ecdsa

asked Oct 01 '18 at 06:00

user3607758

93
1
3

9

votes

1 answer

Using the authorization code grant without using cookies?

I've been reading up on this for months and it seems like the whole thing could converge on what I'm summarizing below. I'm trying to arrive at the most ideal: OAuth2 OpenID Connect SPA / Mobile Client JWT Solution that has banking level security…

oauth jwt openid-connect oauth2

asked Oct 07 '17 at 18:40

Ole

529
5
10

9

votes

2 answers

RSA JWK format and parameters meaning

In RFC 7571 I found how RSA JWK should look like: {"kty":"RSA", "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4 cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMst …

jwt

asked Aug 21 '17 at 08:07

Jacobian

207
1
3
13

9

votes

1 answer

one-time JWT token with JWT ID claim

I'm trying to figure out how to issue a one-time use JWT token for password reset feature and still keeping it stateless. Came across Single-Use Tokens w/ JWT which basically suggests to include hash of current password which in turn gets…

authentication jwt password-reset

asked Mar 13 '17 at 19:51

Sam R.

245
1
3
10

9

votes

2 answers

Can XHR patching prevent XSS side-effects?

XSS & Single-Page Apps I'm researching on web security, and have seen that token based authentication is good for CSRF prevention, distributed system architectures and processing performance. But another problem is XSS. Not specifically talking…

web-application xss javascript jwt single-page-app

asked Jun 05 '16 at 04:49

Hadrian

193
4

9

votes

1 answer

Would encrypting a signed JWT prove viable to secure claims payload?

I am working on a server-client web application, and as an authentication scheme, I am issuing base64 encoded json web tokens. Consider the following…

encryption authentication token jwt

asked May 20 '16 at 21:08

scniro

205
2
5

8

votes

3 answers

Is this password-less auth flow secure?

I'd like to implement a password-less auth flow for my mobile app that only requires a user clicking a link in their email to log in. Similar to how Slack handles auth. I'll be using node and jwt for this implementation. I think I've come up with a…

authentication jwt node.js

asked Nov 17 '18 at 18:03

klinore

131
5

8

votes

1 answer

JSON Web tokens claims. Where do I put a username

I am using JWT to verify Users. As a result I need to create a json web token which contains the following information: username, mycompany, and expiration date. In the JWT standard there are reserved claims such as issuer (iss). For my information…

token jwt

asked Dec 04 '15 at 07:35

user2924127

877
1
8
17

7

votes

1 answer

How does a JWT refresh token improve security?

I've recently learned about JWT tokens, but I don't understand why I need them. Considering: HTTPS is enabled, thus the access token can't be stolen along the way. it's encrypted. If at anytime, the hacker finds a way to read incoming JSON…

jwt

asked Jun 23 '20 at 18:54

F.B

73
3

7

votes

2 answers

What is the most secure way to store cross subdomain cookies

I am working for a company we will call "Company x". This company has a domain companyx.com. They have a cloud platform that manages things like SSL, but in order to do this you are required to use that domain. There are 3 apps app1, app2 and app 3…

cookies session-management jwt dns-spoofing

asked Jul 02 '19 at 22:46

Jackie

171
1
1
5

7

votes

2 answers

Is it safe to use a stateless authorization mechanism where the clear password is stored on the keychain?

Is it safe to use the following stateless authorization mechanism between a client (iOS & Android) and server? Sign up The client provides an email and password and saves the clear password on the Keychain of iOS and using some alternative for…

authentication rest jwt keychain

asked Jun 20 '18 at 11:28

Ignasi

123
5

7

votes

4 answers

JWT encoding using HMAC with asymmetric key as secret

I'm currently exploiting the vulnerability discussed here https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ Where the algorithm type in JWT can be changed from RSA to HMAC and signing the token with a given…

web-application cryptography penetration-test jwt

asked Jun 07 '18 at 11:41

Gowtham

983
6
13

7

votes

2 answers

JWT or public-private keys for service to service API calls

I'm looking into setting up authentication between two application services. Service A is going to call service B, and I want service B to only accept (http) calls from service A, nowhere else. I know how JWT authentication works and could implement…

api asymmetric jwt

asked Mar 09 '18 at 08:03

Peter

185
6

Questions tagged [jwt]