3

Basically, I'm using JWT Authentication where after successful logging in I'm returning JWT token, Expiration time and User's GUID (Should I?)

And let's take an example:

I have an endpoint that returns User specific data that requires being authenticated

So, how should I do that?

Let's say that

user1 generated his jwt: "a.b.c"

user2 generated his jwt: "c.b.a"

How can I ensure that user1 will not use his JWT to access user's 2 data?

I thought about (as I previously mentioned) sending User's GUID with JWT token and use it as an way to identify that user, but if somebody had somebody's else GUID then he'd be able to manipulate his data, which is not good.

Thanks in advance.

UbuntuCore
  • 409
  • 7
  • 20
  • Hello, I see you are new in here. Therefore welcome to Stack Overflow. Please take [this tour](https://stackoverflow.com/tour) to figure out the nature of the questions that are supported in this community. As for the question you asked, it looks [too-broad](https://meta.stackoverflow.com/questions/351670/what-makes-this-question-too-broad). Try something out, and post your code. Then may be we could help.. – Romeo Sierra Jul 19 '18 at 09:40
  • That is the nature of a JWT. If somebody managed to hijack your JWT then they could essentially pretend to be you. There are things you can do to help negate that though like using secure connections so that it isn't intercepted and not using a JWT with a really long lifespan – Scott Bamforth Jul 19 '18 at 10:03
  • 2
    `How can I ensure that user1 will not use his JWT to access user's 2 data?` jwt payload usually has `sub` claim which is an identifier of who the token was issued to. Store `userid` in this then check the two. Then jwt token owner can only access its own matching userid data. – Mardoxx Jul 19 '18 at 10:22
  • If user1 can get his hands on JWT he can also pretent to be user1, hence usually the communication between you client and the server has to be encrypted so that the data can be read only by the intended user, so in this case user2's JWT should not be sent to user1 and when the token is being sent the communication channels has to be encrypted Here is a good article on the oauth2.0 workflow https://requests-oauthlib.readthedocs.io/en/latest/oauth2_workflow.html – Pharaoh Jul 19 '18 at 11:35
  • To add to Mardoxx point, if a token is signed you can read the contents of the token, but without the private key you can't change it - the signature prevents tampering. – Mark G Jul 19 '18 at 23:51

2 Answers2

0

if user1 and user2 send request by seprated ip, you can generate jwt token by concating username and client ip and when validating token check that request sent from validate request username+ip and username+ip from decrypted token else using data filter Mechanism

Yakamuz
  • 85
  • 7
0

It answered my question:

@Mardoxx

How can I ensure that user1 will not use his JWT to access user's 2 data? jwt payload usually has sub claim which is an identifier of who the token was issued to. Store userid in this then check the two. Then jwt token owner can only access its own matching userid data.

And

if user1 and user2 send request by seprated ip, you can generate jwt token by concating username and client ip and when validating token check that request sent from validate request username+ip and username+ip from decrypted token else using data filter Mechanism

And

https://stackoverflow.com/a/45315377/10074551

You should be able to retrieve a claims like this within your controller

var identity = HttpContext.User.Identity as ClaimsIdentity;
if (identity != null)
{
    IEnumerable<Claim> claims = identity.Claims; 
    // or
    identity.FindFirst("ClaimName").Value;
}
UbuntuCore
  • 409
  • 7
  • 20