I created some REST APIs using Spring and implemented Spring Security with JWT for authentication. My front end launches AngularJs and consumes these other APIs, getting JSON responses. JWT authentication works fine, but allows you to simply copy and paste request parameters and headers from the browser console into Postman or any other REST client to receive successful responses even from the secure APIs from the back.
I am trying to solve this problem using JTI applications in JWT. I plan to use a different JTI value for each authentication after the request, just to steal the headers from the browser did not work.
Now, having gone through the many resources available on the Internet, it is still not clear to me whether the client or server should set the JTI value in the JWT.
According to my understanding, if I do this on the server side, I will have to send a new JWT with each response and wait for it in the next request from the client, while maintaining a record of the used JTI in the database. But if the attacker finds out, they just have to use the token from the previous request, and after that they can comfortably interact with my APIs.
On the other hand, if I do this on the client side, I will need to store the JWT signature secret key and JTI generation logic in javascript code so that it can add the JTI value and hash token again. My questions:
- What is the correct way to implement this? Am I missing something or not getting into the wrong direction at all?
- , , , ( Spring MVC- Jsps)?
. .