Geek Answers Handbook

Authentication and authorization of applications using JWT

I went through Oauth2 docs and thought it was kind of enabling security, so I tried to implement JWT tokens with a special scheme similar to the image for a mobile application exchanging with a web API.

Notes: I did not like the idea of ​​Oauth2 refresh tokens, as they can be stolen and allow parallel use (by legitimate and malicious users) if you do not implement theft detection by rotating them (updating the update token with every request), in which case why use them at all?

How auth stream works:

  • A user logging in with credentials receives a resource lasting 20 minutes.
  • After the expiration date, jwt is updated, striking a db check if it is blacklisted (relogin), and if not checking if it is used to create a new token.
  • If it has never been used for updating, it is accepted and used to issue a low level access token.
  • If the token was used before or had a different client + device + user than its parent, they offer credential verification (password or lock code).
  • If this passes, this check produces a new first-class marker, which is a blacklist of all his parents and children on db, as the user's new first entry.
  • If the screen lock is not displayed, the user is presented with a login screen.

Questions:

  • What are the possible security holes? (I found two uses: the stolen valid access token lasts 20 minutes, the same as the Oauth tokens. There are no losses here. And the stolen sleeping token: the user did not log in in 7 days, the token is stolen and is used until until the user logs in again or the token chain withdrawn after 3 months of persistence is our policy - and this theft has little chance, since the token should be intercepted at the last request that the user makes in the application more subtle than the token theft about Oauth updates2).
  • What are the user interface problems that a certificate in an application might encounter during this scheme?

jwt auth flow

+5
source share
1 answer

OAuth2 update tokens are not intended for mobile clients. Using update tokens requires client credentials that cannot be safely stored in a mobile application.

Update tokens are used from confidential clients (for example, server-side web applications). They are often updated when used (the server sends new access and a new update token). Unlike access tokens, an update token is sent only to the authorization server, and not to the resource server (API).

Regarding your authorization flow. Step 2 is the weak link of IMO. You allow the client to use the expired token to generate a new access token. Therefore, if I find my phone and get access to the device, it will allow me to get a new access token and impersonate you.

You can force the client to renew the token every 15 minutes, but then you need to determine what happens if the application closes or the device turns off? Can I re-authenticate a user?

0
source

More articles:


All Articles