21

The structure and protocol aside, I was wondering where JWT fits into client/server communication?

  • Is it here to replace authentication and session cookies?
  • Is it here to relieve servers of storing session tokens in a database or memory?
  • Is it for clients to make sure they are receiving data from the expected server and if that's not a concern I wouldn't need JWT?
  • Is it necessary or a good practice for server to server communication when the connection is HTTPS/SSL?
el_shayan
  • 2,735
  • 4
  • 28
  • 42

3 Answers3

49

What JWT is exactly?

It is a token that only the server can generate, and can contain a payload of data.

What's the point of it?

A JWT payload can contain things like user ID so that when the client sends you a JWT, you can be sure that it is issued by you, and you can see to whom it was issued.

Where can it be useful?

Usually, in RESTful APIs, where the server must not use any sort of sessions.

How does it differ from using sessions?

  • In a typical session flow, the browser sends a cookie containing a token, which is then matched at the server to some data which the server makes use of to authenticate the user.

  • In a JWT flow, the token itself contains the data. The server decodes the token to authenticate the user only. No data stored on the server.

What is a typical authentication flow using JWT?

  • User credentials sent to /signin
  • /signin returns a JWT (signed with a key)
  • JWT is stored in localStorage
  • JWT is sent on every request (to API)
  • The server can read the JWT and extract user ID out of it

Jwt contains the encoded form of the algorithm.data.signature and so if the user tries to fiddle with the user ID or any other data held in the jwt, then the jwt signature becomes invalid.

Jwt is encoded (not encrypted), so any one can read the data component of the jwt (see jwt.io for example). Therefore it is recommended not to store any secrets like password in the jwt.

It is also recommended to use an encrypted connection (SSL/TLS) when making the web request that contains the jwt because otherwise an attacker can steal the jwt and use it to impersonate you.

variable
  • 8,262
  • 9
  • 95
  • 215
OverCoder
  • 1,472
  • 23
  • 33
  • 2
    One of best answers I've heard ever. – Mohammad Barbast Feb 27 '20 at 10:54
  • Really? Do you store tokens in local storage?? https://cheatsheetseries.owasp.org/cheatsheets/HTML5_Security_Cheat_Sheet.html#local-storage – Nik Kashi Aug 29 '20 at 11:36
  • @MohsenKashi An XSS attack is basically when foreign JS runs within your website. In this case, the XSS script gains equal permissions to your own scripts; Thus, be it stored in cookies, LocalStorage, SessionStorage, IndexedDB, or anything, it'll be possible to have the stolen. It'll be next to impossible to protect a website while also being vulnerable to XSS. – OverCoder Aug 30 '20 at 14:54
  • @OverCoder Cookies with the `httpOnly` flag are not accessible through client-side scripts and thus are not vulnerable to XSS attacks. – Windom Earle Feb 14 '21 at 22:01
  • "It is a token that only the server can generate, and can contain a payload of data." What means payload? – zeroG Nov 21 '22 at 13:40
20

JWT is just a popular JSON based format of a security token.

JWT tokens are not invented to replace session cookies. They are mostly used to secure web APIs (request data). Session cookies on the other hand are used in web applications, where you log in a user and automatically send the cookies with each request (request pages).

JWT tokens are included in the Authorization HTTP header as part of the bearer authentication scheme. The main advantages of using bearer scheme authentication is that it's not vulnerable to CSRF attacks because your script needs to explicitly attach the token to the request and can be used cross-domain (unlike cookies).

Bearer scheme authentication does require HTTPS connections as anyone who manages to steal the token can use it to access the API for as long as the token is valid.

Security protocols like OAuth2 use JWT tokens to secure APIs. OpenID Connect uses JWT tokens to authenticate web applications, but stores the token in a cookie.

Since JWT tokens are digitally signed by the issuer (server doing the authentication), they can be validated without talking to the server again. Digital signatures allow you to sign a piece of data (JWT token in this case) with a private key and the server receiving the token only needs the public key to verify that none of the data was changed. So the API server only needs the public key (which is not secret) from an authorization server to trust tokens it issues. The client of the API brings the token and the API server can verify it without talking to the authorization server.

Community
  • 1
  • 1
MvdD
  • 22,082
  • 8
  • 65
  • 93
2

IMO JWT is mostly useful when the issuer (who generates the JWT) and the receivers (who verify the JWT) belong to different autonomous parties. Although it is possible, there is no need to replace authentication/session-cookie/token-storage/etc with JWT.

Jin Liu
  • 2,203
  • 15
  • 13