25
votes
Accepted
Is it bad practice to store a user's email address in a JWT?
Yes, it is bad practice and a security problem.
Email addresses are PII (personally identifiable information). Like all other PII, email addresses should never be stored unencrypted at rest; doing so ...
- 365
20
votes
Accepted
Difference between 'aud' and 'iss' in jwt
These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.
This may not be different for your application.
But ...
- 3,347
19
votes
Is it bad practice to store a user's email address in a JWT?
The short answer is no. There should not be any problem because email is a valid and registered public claim.
I have a user DB where each user's unique ID is their email ...
Well, there's a ...
- 15k
17
votes
Accepted
Should we store JWTs in database?
The positives/pro I can see of storing the JWT token in our database would be that even after assigning the token we will have the power to invalidate or deactivate the existing the tokens even before ...
- 186
14
votes
API key vs JWT - which authentication to use and when
The debate between API keys and JWT tokens is often mischaracterized as being simply JWT is standardized and more secure. There's much more balance and nuance to the decision.
You only need to look at ...
- 241
13
votes
Accepted
cookie vs. session vs jwt
Cookies: in their early version, a text file with a unique client Id
an all the other information needed about the client (e. g. roles)
Cookies are tuples key-value originally addressed to retain ...
- 15k
10
votes
Accepted
Should access permissions and roles be included in payload of JWT?
The purpose of including claims in the token is so you don't have to have that communication between the resource and the authentication provider.
The resource can just check that the token has a ...
- 84.4k
10
votes
Accepted
API key vs JWT - which authentication to use and when
JWT "no-brainer" choice is for any UI app which will need to
authenticate user as well any API calls which require authorization on
the API not just authentication.
Both API key and JWT can ...
- 3,242
8
votes
cookie vs. session vs jwt
Cookies: in their early version, a text file with a unique client Id an all the other information needed about the client (e. g. roles)
Your definition of cookie doesn't really describe what they do. ...
- 9,247
7
votes
Accepted
REST API Authentication: Cookie vs Web Storage
Use both.
In your mobile app, you have better control over the code that runs and can avoid XSS vulnerabilities. So storing the token is not so problematic and you can have your code pass it to the ...
- 84.4k
6
votes
Should microservices be users?
In general, as many operations as possible should be tied to a real, human user. It forces people to authenticate properly, it pushes for a single consistent authorization strategy, and it's an ...
- 110k
6
votes
Accepted
Should ID be given in URL if already secured with JWT containing ID?
If the purpose of this end point is to perform an operation on the "current user" as defined by the user in the JWT token, then you absolutely don't want the User Id in the URL.
You don't want ...
- 46.1k
6
votes
Accepted
Why is it fine to use a user's ID in their JWT, as opposed to their email/username?
Suppose the following scenario
A user logs in into your application from 3 different devices.
Each device gets a separate JWT to remember the login, with a different expiration date & time.
That ...
6
votes
Accepted
Does possession of a valid JWT automatically imply the user is authenticated?
JWT is just a signed blob of data under the hood (we are not going to talk about JWTs without signature in this answer). How, when and why it was created cannot be known for sure. The only thing that ...
- 3,065
5
votes
JSON Web Token - why is the payload public?
The use of the term signature in the RFC is analogous to a digital signature in asymmetric cryptography. In asymmetric cryptography if the sender encrypts a message with their private key, anyone who ...
- 156
5
votes
Accepted
When to derive user ID from authentication token vs. validate against?
The identifier in the URL can be always faked by an attacker. You need a mechanism to ensure that the identifier is actually valid. This is why when modelling endpoints executing a certain operation, ...
- 10.4k
5
votes
Accepted
What identity and/or access data are JWT claims intended for?
JWT's can be used for anything you want the server side to communicate back to itself or other services in the ecosystem in a trusted manner through an untrustworthy client. The user principal, ...
- 15.3k
5
votes
Should I check for non-existing users with correctly signed tokens?
Two options:
Use a different signing key for each separate user DB. That way tokens cannot be valid in more than one system.
Store only a random surrogate key in the token. This key is then mapped to ...
- 11.6k
4
votes
Is it bad practice to store a user's email address in a JWT?
It's commonplace to store a user's e-mail address in a token.
The properties of said e-mail address are up to the identity provider (is it unique, can it be changed etc.)
A few scenarios which are ...
- 2,947
4
votes
Should ID be given in URL if already secured with JWT containing ID?
I think you are muddling the concept of the id of the user that is authenticated and the id of the user that you want to delete. I could be wrong but it's a little unclear when a user would delete ...
- 30.9k
4
votes
Client generated JWT
I have to admit, I've just created a REST API using the approach like the one described above:
We provide a username and secret for each client, which is allowed to access our REST service.
The client ...
- 41
4
votes
HTTP(S) API authentication: why not many services require signing (HMAC)?
When communicating with a web server, you may be interested in:
Guaranteeing that you're actually communicating with the server, not somebody who pretends to be that server.
Encrypting your ...
- 139k
4
votes
Storing permanent JWT in HttpOnly + SameSite=Strict + Secure cookie?
The most fundamental rule of web application security is you can not trust the client.
The expiry date is the single most important security feature of a JWT, because it's the only way you can tell ...
- 5,957
4
votes
What are the advantages of refresh token?
The key to systems with separate Access and Refresh tokens is that they involve three parties:
The client that wants to access some service
The service they want to access
A separate service which is ...
- 5,957
3
votes
Should access permissions and roles be included in payload of JWT?
One of the biggest problems I've come across is the fact that header size can become prohibitively large if you include all the user's roles/permissions.
3
votes
How Immadiately Blacklist and Block Access of Access Token using JWT?
That's actually one of the caveats of completely stateless JWTs. You cannot invalidate specific token. You may invalidate them all by changing your secret on the server, however this operation will ...
- 10.4k
3
votes
How do you handle JWT expiration for long running calls?
What works is using a separate token for external-to-internal ("external token" for brevity) and internal-to-internal ("internal token" for brevity) requests:
When Clients send ...
- 31
3
votes
How do you handle JWT expiration for long running calls?
I don't understand why you think having the JWT token expire will be a problem. You should only be validating the expiry when the message hits your system (request submitted). If you have a Queue in ...
- 2,975
3
votes
Is this approach with JWT tokens wrong?
It sounds like you have a lot of permissions, and maybe those permissions have very long names. One way of reducing the overall token size would be to severely abbreviate them, and add a static class ...
- 570
3
votes
Accepted
OWASP Broken Access Control by example: preventing user's from reading/writing data that isn't theirs
Let's ignore JWT tokens for the moment and think of a classical session based authentication mechanism using cookies:
a user accesses a login page;
they use their username and password to login;
...
- 3,660
Only top scored, non community-wiki answers of a minimum length are eligible