Best practices for server-side handling of JWT tokens [closed]

by

I’ve been playing with tokens for my application as well. While I’m not an expert by any means, I can share some of my experiences and thoughts on the matter.

The point of JWTs is essentially integrity. It provides a mechanism for your server verify that the token that was provided to it is genuine and was supplied by your server. The signature generated via your secret is what provides for this. So, yes, if your secret is leaked somehow, that individual can generate tokens that your server would think are its own. A token based system would still be more secure than your username/password system simply because of the signature verification. And in this case, if someone has your secret anyway, your system has other security issues to deal with than someone making fake tokens (and even then, just changing the secret ensures that any tokens made with the old secret are now invalid).

As for payload, the signature will only tell you that the token provided to you was exactly as it was when your server sent it out. verifying the that the payloads contents are valid or appropriate for your application is obviously up to you.

For your questions:

1.) In my limited experience, it’s definitely better to verify your tokens with a second system. Simply validating the signature just means that the token was generated with your secret. Storing any created tokens in some sort of DB (redis, memcache/sql/mongo, or some other storage) is a fantastic way of assuring that you only accept tokens that your server has created. In this scenario, even if your secret is leaked, it won’t matter too much as any generated tokens won’t be valid anyway. This is the approach I’m taking with my system – all generated tokens are stored in a DB (redis) and on each request, I verify that the token is in my DB before I accept it. This way tokens can be revoked for any reason, such as tokens that were released into the wild somehow, user logout, password changes, secret changes, etc.

2.) This is something I don’t have much experience in and is something I’m still actively researching as I’m not a security professional. If you find any resources, feel free to post them here! Currently, I’m just using a private key that I load from disk, but obviously that is far from the best or most secure solution.

More Related Contents:

  1. JWT (JSON Web Token) automatic prolongation of expiration
  2. What is token-based authentication?
  3. Where to store JWT in browser? How to protect against CSRF?
  4. JWT refresh token flow
  5. If you can decode JWT, how are they secure?
  6. Authentication versus Authorization
  7. Non-random salt for password hashes
  8. Cross Domain Login – How to log a user in automatically when transferred from one domain to another
  9. Where do you store your salt strings?
  10. SPA best practices for authentication and session management
  11. Is it safe to put a jwt into the url as a query parameter of a GET request?
  12. How do I store and retrieve credentials from the Windows Vault credential manager?
  13. Symfony2 extending DefaultAuthenticationSuccessHandler
  14. secure api data from calls out of the app
  15. Best way for a ‘forgot password’ implementation? [closed]
  16. What is the best Distributed Brute Force countermeasure? [closed]
  17. Should I hash the password before sending it to the server side?
  18. Should JWT be stored in localStorage or cookie? [duplicate]
  19. https URL with token parameter : how secure is it?
  20. Secure keys in iOS App scenario, is it safe?
  21. How to do stateless (session-less) & cookie-less authentication?
  22. Using Symfony2’s AccessDeniedHandlerInterface
  23. How to manually decrypt an ASP.NET Core Authentication cookie?
  24. Secure Google Cloud Functions http trigger with auth
  25. What is the appropriate way to manage API secrets within a Google Apps script?
  26. Google Authenticator available as a public service?
  27. What are best practices for securing the admin section of a website? [closed]
  28. Securing an API: SSL & HTTP Basic Authentication vs Signature
  29. is it bad to pass jwt token as part of url?
  30. How do you protect your software from illegal distribution? [closed]

Leave a Comment