JWT (JSON Web Token) cross user/ application usage risk

Question

I have implemented the JWT based authentication system for one of out API usage requirement. Which means, if user want to access any REST Api, then will communicate API using JWT token. This is how the steps should follow:

1. User will call the /Authenticate method passing username/ password.
2. System will validate the user and return the JWT token and Timeout in a response.
3. Now, user will call /Employee/Get API method along with the JWT token in the request header. E.g. Authorization: Bearer {token}
4. Things are working quite well.

Now the question is, once the token is generated, any user can grab the token by capturing the network request/ by any tool which can read the request/ response in Network system.

Which means that, if I have generated the JWT token for user Mark, then by grabbing the same toke, some other user can pass the same token in the header, and can access my /Employee/Get API method.

Now, the token will be validated because it was generated from the same system and system doesn't know about the user, it just know the JWT token.

How would I ensure that the other user cannot use the same token OR even if they pass same token, my system should reject the request. How would I make it secure?

Thanks in advance!

Answer 1

Posession of JWT is the proof-of-authentication. If a token is stolen then the attacker can impersonate user. So you need to protect it:

• Mainly use HTTPS to encrypt the communication channel

• Store it securely on the client. For example look here Should JWT be stored in localStorage or cookie?