I need to make JSONP REST calls in one of our app. In order to authenticate I got to supply JWT token in url.
I got some idea about its security aspects through this post.
Is it safe to put a jwt into the url as a query parameter of a GET request?
However, I'd like to understand a little more about how could one supply JWT token to JSONP in more secure way.
I may not be able to furnish more details about my app but believe me we haven't to use JSONP for seeving some specific need.
Thanks a lot.
If it is part of the query parameter than it goes into the web server log files, also (if not https) the logs of any intervening proxy server. If anyone can access those logs then they can re-use your token. This may not matter if the jwt has a fairly short expiry, but if it has a long expiry time it could be significant.
Also if you put the token in the URL and the URL gets shared with another user then until it expires have your access to that resource. This would particularly matter if the URL with token ever appears in an address bar as someone might just copy/paste it.
JWT is not usually encrypted, just signed. That means anyone can extract the information from the token even if it has expired. So that means if they get hold of old logs they have a record of which user accessed which content, and they may also be able to harvest personal data such as emails.
A better place to pass it would be in an Authorization header. Then it won't be logged. e.g.
Authorization: Bearer <token goes here>
