Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is JWT necessary over HTTPS communication?

I'm developing a MEAN stack application, and I'm currently setting up an account system. I've seen several tutorials about Authentication, all using JWT.

I am wondering if, JWT could be used as way to secure communication transport over non-secured connection like HTTP?

I've set up HTTPS to communicate from my Angular 4 front-end to my NodeJS + Express back-end, and thus, wondering if JWT are necessary to secure my communications?

like image 335
Maxime Flament Avatar asked Aug 31 '17 09:08

Maxime Flament


People also ask

Is JWT mandatory?

There are no mandatory claims for a JWT, but overlaying standards may make claims mandatory. For example, when using JWT as bearer access token under OAuth2. 0, iss, sub, aud, and exp must be present. some are more common than others.

Why is JWT necessary?

Information Exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.

What are the disadvantages of using JWT?

Compromised Secret Key One of the major cons of relying on tokens is that it relies on just one key. Yes, JWT uses only one key, which if handled poorly by a developer/administrator, would lead to severe consequences that can compromise sensitive information.

Should I use OAuth2 or JWT?

If you want to do real logout you must go with OAuth2. Authentication with JWT token can not logout actually. Because you don't have an Authentication Server that keeps track of tokens. If you want to provide an API to 3rd party clients, you must use OAuth2 also.

Is using JWT over HTTPS necesary?

Even if you need authentication in web application, JWT token is not the only choice. Session is old technology but it is still reliable, which made JWT definitely NOT necessary. Yes it's not necesary, but my question was: is using JWT over HTTPS necesary?

How does JWT token work?

The server then creates a JWT session token using the user’s info and the secret (no DB is involved) The server then sends you a JWT token to the front-end application. For future activities, the user can just send the JWT token to identify the user instead of logging in every time. A JWT token looks like this: <header>.<payload>.<signature>

What happens when JWT authorization is successful?

If the authorization is successful, the server sends a JSON Web Token to the user. The user can use the JWT to request any protected services/resources from the server by including the JWT in the Authorization header using the Bearer schema.

What are the requirements for JWT authentication?

No passwords (as there are in HTTP Basic Auth). No ephemeral user access codes, such as a random string from an email or app or SMS. No sign of user possession of a cryptographic key (such as is used in TLS mutual auth; the only cryptographic key used in a JWT is exclusive to the server).


2 Answers

JWT should not be confused with encryption. From jwt.io:

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

The JWT is signed with public/private key pairs so the sender can be verified, and verified that the payload has not been modified. However, the JSON Web Token is in clear text.

var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";

var payload = token.split('.')[1];

console.log('Payload: '+atob(payload))

Below is a figure from jwt.io showing the authentication flow when using JWT. enter image description here

You need SSL/HTTPS to encrypt the communication. Without SSL/HTTPS attackers can sniff the network traffic and obtain the JWT, hence your application is vulnerable to man in the middle attacks.

like image 173
rckrd Avatar answered Sep 29 '22 18:09

rckrd


Is JWT necessary over HTTPS communication?

No. Communication protocol (HTTP v.s. HTTPS) is one thing, and authentication mechanism (JWT v.s. Session) is another -- these are 2 totally different area.

For communication protocol (HTTP v.s. HTTPS), HTTPS can be used alone, without any JWT tokens or sessions. For example, a static web site can be made (only HTML+CSS) and served with HTTPS. In this way, the web site can be certificated by CA and prevent forge attack.

Even if you need authentication in web application, JWT token is not the only choice. Session is old technology but it is still reliable, which made JWT definitely NOT necessary.

like image 21
shaochuancs Avatar answered Sep 29 '22 18:09

shaochuancs