Geek Answers Handbook

JWT & OAuth2 - does the token store the server? & How are they protected / safe for hackers?

I am a complete noob when it comes to security, authentication strategies. So I read this article on “Token Based Authentication”: https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication

I have 2 questions:

  1. I don’t understand why the intermediary (or hacker) will not be able to see the token sent by the client and use it to impersonate this client / person to receive resources? What makes JSON Web Tokens / OAuth2 authentication more secure in this sense? If each time we used the token for one-time use only, I would understand that even if the hacker can read the token, he will not be able to use it for another request. But since the token remains unchanged until it expires, how much safer is the authentication strategy?

  2. How the server finds out that the token sent by the client is valid, that is, something that the server exchanged with the client during login. Does the server save the token generated in the database or somewhere else, and continue to update the "last access timestamp" or something like that and continue to delete tokens where last_accessed_time> 1 hour ago to continue to expire after 1 hour of inactivity ?

+16
security authentication jwt json-web-token oauth2
source share
2 answers

I don’t understand why the intermediary (or hacker) will not be able to see the token sent by the client and use it to impersonate this client / person to extract resources?

JWT does not protect you from a man-in-the-middle attack (MITM). If an attacker receives a valid token, he can effectively impersonate him. Even if the content is encrypted.

JWT should be used with SSL / TLS to avoid MITM

What makes JSON Web Tokens / OAuth2 authentication more secure in this sense?

JWT is the token format, and oauth2 is the protocol. oauth2 can use jwt. Oauth2 is more secure for the user using a third-party site, since credentials are sent only from the user to the main site, and then the site issues a token that can be used by a third-party site to authenticate the user. A third-party site never displays user credentials

But how does the token remain unchanged until it expires, how is a secure authentication strategy?

Read above. You need to protect your tokens so that they are not stolen: mainly use HTTPS or mitigate its effects: store in cookies with HttpOnly (if you do not need to access the JWT content on the client side), set the expiration time to short, turn the tokens ...

How does the server know that the token sent by the client is valid, that is, something that the server exchanged with the client during login.

The third part of the JWT, such as hhhh.pppp.ssss , is the signature. The signature is performed with the server’s private key by header and payload (hhhh.pppp), protects the content. If an attacker modifies the content or signature, the server will detect it by checking the signature and rejecting authentication.

Does the server save the token generated in the database or somewhere, and continue to update the "last available timestamp" or something like that and continue to delete tokens where last_accessed_time> 1 hour ago to expire after 1 hour of inactivity?

It is not necessary. The signature is packaged in the token itself ( ssss ), so it is said that JWT is self-sufficient

The server has a cryptographic secret key or a pair of keys, public and privete. The token is signed and verified with the private key (for HMAC symmetric keys) or signed with the private key and verified with the corresponding public key (for asymmetric RSA keys)

+22
source share

It's all about the token signature, not the token encryption. The server just checks the signature, JWT is not encrypted (if you do not implement it). Do not store sensitive data in a token, because by default it is not encrypted.

+1
source share

More articles:


All Articles