0

I'm new to the authentication stuffs. I have an application which after login, send the credentials against server and server generate the JWT token and send it back to the client(mobile device).

This is my question : After having the JWT available, Where should I store my information on the upcoming requests? for example If I want to send a POST request I have two approaches :

  1. store needed information on the request's body
  2. after encoding the information using JSON format in Base64 then store it on payload of the JWT

maybe I'm wrong and these are not the solutions. I just wanted to know what is the best (standard) approaches for this job ?

Shahin Ghasemi
  • 1,600
  • 1
  • 20
  • 38
  • The JWT is an authentication/authorization token that you need to pass back to the server if you want to it do this for you. You (the client application) cannot modify it, you just include it in your requests as is. The other information those requests need can go where they would otherwise go (URL, query parameters, request body, etc). – Thilo May 22 '18 at 10:16
  • @Thilo thanks for your quick feedback, I was wondering there would be security issues unless sending information by authorization header – Shahin Ghasemi May 22 '18 at 10:21

2 Answers2

1

Jwt tokens are to be sent back and forth for each request and as mentioned in comments you cannot modify them.

The token can be sent as a bearer token in the authorization header.

Authorization : Bearer <token>

For the request parameters for your API requests you are doing you can send them as part of request body for a post.

And on an additional note your requests would still be vulnerable to CSRF. You can use csrf any libraries to generate a csrf token. This would provide better security aspects to your application.

gkrthk
  • 331
  • 1
  • 7
  • Thanks! Is there any necessity to send the token using the format you mentioned above ? I mean can we send it just in this way : Authorization : (without Bearer) – Shahin Ghasemi May 22 '18 at 10:35
  • 1
    It's a standard proposed by jwt itself. Bearer is type of schema for authorization/authentication tokens. I suggest following the one mentioned in answer. Refer below for more insights: https://www.google.co.in/url?sa=t&source=web&rct=j&url=https://stackoverflow.com/questions/33265812/best-http-authorization-header-type-for-jwt&ved=2ahUKEwi5xdCJkZnbAhUafH0KHUrZCJEQFjAAegQICRAB&usg=AOvVaw0dt1ulzTTeAbwDU9fWDtYN – gkrthk May 22 '18 at 10:42
1

The JWT token should be sent as a bearer token with each request the client makes to the server.

it is typically added in the Authorization header using the Bearer schema. 

Authorization: Bearer <token>

For a more detailed explanation of JWT tokens please see https://jwt.io/introduction/

Thom
  • 540
  • 5
  • 12