1

There are lots of discussion and favor that token based architecture of authentication of MEAN application is secure. But I have question that is it really pass user-name and password for authorization and authentication as payload in JSON Web Token, and if we are not passing secured information in payload then how JSON Web Token authenticate user without user-name / password in server side.

I read lots of architecture stuff but they can't explain that what logic they used to authenticate token without using user-name/password.

Is it valid to store authentication token in cookies rather than web storage?

Yes I am knowing that they used private key and public key for verification but it's not enough to authenticate. To authenticate specific user it requires some key values like user-name/password or any key access which required to identify particular user.

Dipak
  • 2,248
  • 4
  • 22
  • 55

1 Answers1

6

No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user.

You seem to misunderstand the JWT's roll in authentication. Generally, JWT authentication is going to replace a stateful session system. In many normal flows, a user authenticates using their username and password and the server sets a session cookie for the user. When the user returns to the website, their browser sends the session cookie along with them. The server sees a request coming in with a session cookie and looks up the relevant session data from some database.

In many JWT-based systems, a user authenticates with their username and password as usual, but instead of the authorization server setting a session cookie that references something in the database, it will set a cookie that contains a JWT of the user's session data. This could include their username, any roles they have, or any other data necessary.

Now, when the user returns to the website and their browser presents this new JWT cookie, the server only needs to verify that it was signed by the authorization server in order to trust the claims inside. Avoiding the database lookup for session information has many benefits, not the least of which is speed.

Michael Davis
  • 2,350
  • 2
  • 21
  • 29
  • Thank you... very much to give kind knowledge. So it means that JWT manages some types of session database on server side. In which it uses reference of JWT token on server side which verifies token expires and validation. So in MEAN application do I create new session MongoDB collection to store and manage JWT token, if I use express-jwt module? – Dipak Apr 15 '16 at 06:08
  • 1
    That would certainly be possible, but a lot of people store the session data directly in the JWT and replace server-side sessions entirely. If you are just going to use the JWT to look up a session in the database, why are you using a JWT? – Michael Davis Apr 15 '16 at 17:52
  • I am really bit confusing about process flow of JWT that how it will helpful and how it works. I referred so many diagrams and blogs but still I am not able to get my answer that how JWT helpful and how does it work properly? I know very well general process of JWT but how JWT refresh token when it has secret and payload is same? JWT is really take too much time to understand internal process specifically for me. And big question is that how does it authenticate token, I read it so many blogs but still it's abstract for me. – Dipak Apr 17 '16 at 11:08