I am struggle for a stable answer for this question and not getting any. My doubts are
sub
?Authentication server verifies the credentials and issues a jwt signed using either a secret salt or a private key. User's Client uses the JWT to access protected resources by passing the JWT in HTTP Authorization header. Resource server then verifies the authenticity of the token using the secret salt/ public key.
JWT is also a great way to secure information transmission between parties — two servers, for example — and because you can verify the validity of the token (signature, structure, or the standards claimed in the JWT).
Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.
A JWT can still be valid even after it has been deleted from the client, depending on the expiration date of the token. So, invalidating it makes sure it's not being used again for authentication purposes. If the lifetime of the token is short, it might not be an issue.
1) You need to store some user identification in JWT. Usually it makes sense to list her granted rights verified during authentication and something like display name. Definitely do not store password.
2) No, token is not stored in the database. Tokens are short lived and need to be re-issued every few minutes transparently to user.
3) Every time JWT is re-issued it is unique because one of the things encoded in it is the timestamp for when it expires.
4) First token is created during authentication. Then each request validates the token by decoding it using the private key you used to encode it. If the token is expiring soon you issue the new one using the same data + updated expiration timestamp.
5) Log out is now a front end's job. You need to stop sending requests with the token. Perhaps delete the cookie if you are sending JWT as a cookie.
6) This is better than using session because it is stateless. First obvious win is that you no longer need to store session info in database/maintain client ip address affinity if you are running a cluster of multiple web servers.
In addition to MKs answer (to which I agree) and specifically to your questions 1 and 4: The password is only used in the first request to obtain the accesss token and of course never part of the token itself.
When you request the access token for the first time, you usually start by sending a token request to the token endpoint, in case of the so called Resource Owner Password Credentials Grant
with user credentials in the request header, e.g.
grant_type=password&username=user1&passowrd=very_secret
The authorization server (which might be a different endpoint on your resource server) will check the credentials and create an access token which will be used on all subsequent calls to the resource server. The resource server just checks the validity of the token, i.e checks if the signature matches the content.
For reference : JWT is described in RFC 7519
General introduction can be found on https://jwt.io
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With