Geek Answers Handbook

What is protected from JWT?

I use JWT to produce and consume tokens. After weeks of reading specs and googling, I still don't understand: what is protected from the token if I can create it on one machine and then open it on another? Is the written token supposed to be encrypted? I use System.IdentityModel.Tokens and create a token using JwtSecurityToken and JwtSecurityTokenHandler .

Can someone point me to focused documentation on a topic that basically explains its security aspects?

+7
c # oauth jwt
source share
2 answers

The first two JWT segments are not encrypted, so any application that generates JWT on the server and sends it to the client must do this via SSL. This is usually sent to the user in response to a login request, which should be sent over SSL anyway, since it usually contains a combination of username and password. Subsequent requests sent to the server must also be performed via SSL, because no matter what token you use - be it JWT or something else - it should not be visible in unencrypted form to sniff packets, otherwise user sessions may be captured.

The JWT Security Aspect relates to the third and final segments. It is created by signing the first two segments with a secret key that only the server knows. When the server-generated JWT is sent back to this server as part of an authenticated request, the server knows the key and therefore can confirm the signature in the third segment and use this signature to ensure that the first two segments have not been changed since it is signed by the server.

+22
source share

From what I can tell, the C # JwtSecurityToken not intended to encrypt its contents (it seems your question seems to be). Instead, it is intended to sign its contents. This corresponds to a typical token security model. It should be part of information that is otherwise protected.

The difference is that you are not trying to hide any information, you are just checking the source of the information (as well as the integrity, but this is connected).

For example, Twitter can give you a token with the data "eddyuk", "eddyuk awesome application" and assume that it is enough for authorization. In order to prevent me from making my own token for the same purpose, they can sign it, so an exact copy of the original token is required for use.

This serves two purposes: you do not need to remove the complex mapping scheme, and if your signature method is secure, it is impossible to guess.

Please note that there is a way to store encrypted information in a token using some other implementations, but C # 1 does not support this functionality.

+4
source share

More articles:


All Articles