Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Is it ok to store user credentials in the JWT

Tags:

json

jwt

json-web-token

Is it ok to store user credentials (username / password) in the JWT (so sign it and verify the resulted token later)?

I heard that

No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user

but I don't know why does the JWT website recommends using it for authentication purposes then:

When should you use JSON Web Tokens?

Here are some scenarios where JSON Web Tokens are useful:

Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains

like image 838
FrozenHeart Avatar asked Mar 07 '17 15:03

FrozenHeart

People also ask

Should I use JWT for login?

Bottom line. Although JWT does eliminate the database lookup, it introduces security issues and other complexities while doing so. Security is binary—either it's secure or it's not. Thus making it dangerous to use JWT for user sessions.

What information should be stored in JWT?

jwt Getting started with jwt What to store in a JWTRegistered claims like sub , iss , exp or nbf. Public claims with public names or names registered by IANA which contain values that should be unique like email , address or phone_number . See full list. Private claims to use in your own context and values can ...

Is JWT secure for authentication?

The general opinion is that they're good for being used as ID Tokens or Access Tokens and that they're secure - as the tokens are usually signed or even encrypted. You have to remember though, that JWT is not a protocol but merely a message format.

Can I store sensitive data in JWT?

When a JWT is encrypted, you can share sensitive data securely (unless the algorithm or the key are compromised).

1 Answers

The JWT is the result of the authentication. For example

  1. User sends his credentials (e.g. username/password) to an authentication service. It could be a third party one or one inside your monolith or your own microservices dedicated to authentication.
  2. The service validates username-password. If authentication success it returns an JWT that represents that the user is already authenticated, in other words he is who claim he is. This JWT could contain a payload without sensitive information (don't store the password here).
  3. The user sends another request to a service business with the JWT. If the JWT isn't expired and is not corrupted (the sign is still valid) then the service could trust in its JWT. Maybe this task will be delegated to an authorization service.

What is inside the JWT token?

Well, the simplest JWT contains information about the sign (I can't enter in much detail here because I'm not a security expert) that allows to check if the sign has been corrupted when a request with the JWT is received.

This information can be verified and trusted because it is digitally signed

Besides that, the JWT allows to send a payload.

More formally, the JWT is composed by:

  • Header: type of the token + hashing algorithm being used
  • Payload: Claims are statements about an entity (typically, the user) and additional metadata.
  • Signature: The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

For example, if I send a request to a authentication service with my credentials username:password being gabriel:giussi, it will check these credentials and if they're OK it could create the following JWT: enter image description here

Then with every request I will then the encoded JWT that contains my username and the service will

  • Perform authorization (What Gabriel is authorized to do?) if the JWT sign is valid.
  • Ask me to login again if the JWT has expired
  • Return an authentication error if the sign is broken.
like image 187
gabrielgiussi Avatar answered Oct 04 '22 23:10

gabrielgiussi
Sign in to Comment

Related questions

JAX-RS and java.time.LocalDate as input parameter
Push data into JSON array
How to make multiple assignment of field values in jq?
How to prettyprint (human readably print) a Python dict in json format (double quotes)? [duplicate]
Converting a string to JSON in C#
How to use jq to find all paths to a certain key
Deserialize only one property of a JSON file
Iterate through nested json object array
Importing JSON into Mysql
How do I use json variables in a yaml file (Helm)
How to create dynamic routes with react-router-dom?
Noise-free JSON processing with Scala
Textually diffing JSON
How to read content of remote file in Ruby on Rails?
Angular JS ngResource with nested resources
Parsing JSON in Play2 and Scala without Data Type
Android Retrofit | Post custom object (send json to server)
JSON Array to Java objects
Generate Json Schema from POJO with a twist
Laravel casting JSON to array?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!