Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

JWT & OAuth2 - Does the server store the token? & How are they Secure/Hacker Safe?

I am a complete noob when it comes to security, authentication strategies. So I was reading this article about "Token Based Authentication": https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication

I have 2 questions:

  1. I don't understand why a middleman(or a hacker) would not be able to see the token being sent by the client and use the same to impersonate as that client/person to retrieve resources? What makes JSON Web Tokens / OAuth2 based authentications safer in that sense? If we use a onetime-use-only token every time, I would understand that even if the hacker can read the token he will not be able to use it for another request. But as the token stays the same until it expires, how is that a safer authentication strategy?

  2. How does the server know that the token sent by the client is valid i.e something that the server exchanged with the client during login. Does the server store the token generated in a database or somewhere and keep updating the "last accessed timestamp" or something and keeps removing the tokens where last_accessed_time is > 1hour ago, to keep expiring it after 1 hour of inactivity?

like image 212
user1102532 Avatar asked Jul 26 '16 17:07

user1102532


People also ask

What is JWT?

JWTs or JSON Web Tokens are most commonly used to identify an authenticated user. They are issued by an authentication server and are consumed by the client-server (to secure its APIs).

What is a JWT and what is it used for?

JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.

What is JWT vs OAuth?

JWT is mainly used for APIs while OAuth can be used for web, browser, API, and various apps or resources. JWT token vs oauth token: JWT defines a token format while OAuth deals in defining authorization protocols. JWT is simple and easy to learn from the initial stage while OAuth is complex.

Why do we use JWT?

Information Exchange: JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are.


2 Answers

I don't understand why a middleman (or a hacker) would not be able to see the token being sent by the client and use the same to impersonate as that client/person to retrieve resources?

JWT does not protect you to a man-in-the-middle (MITM) attack. If an attacker gets a valid token, can effectively impersonate. Even if the content is encrypted.

JWT should be used with a SSL/TLS connection to avoid MITM

What makes JSON Web Tokens / OAuth2 based authentications safer in that sense?

JWT is a token format, and oauth2 is a protocol. oauth2 can use jwt. Oauth2 is safer to the user using a third party site because credentials are only sent from the user to the main site, then the site issues a token that can be used by the third party site to authenticate user. The third party site never see the user credentials

But as the token stays the same until it expires, how is that a safer authentication strategy?

Read above. You need to protect your tokens to not be stolen: Mainly use HTTPS, or mitigate its effects: store in cookies with HttpOnly (if you do not need to access JWT content in client side), set expiration time short, rotate tokens...

How does the server know that the token sent by the client is valid i.e something that the server exchanged with the client during login.

The third part of a JWT like hhhh.pppp.ssss is the signature. The signature is performed with server private key over the header and payload (hhhh.pppp), an protects the content. If an attacker alters the content or the signature, the server will detect it verifying the signature and will reject the authentication.

Does the server store the token generated in a database or somewhere and keep updating the "last accessed timestamp" or something and keeps removing the tokens where last_accessed_time is > 1 hour ago, to keep expiring it after 1 hour of inactivity?

It is not needed. The signature is packed in the token itself (ssss), therefore it is said that JWT is self-contained

The server has a cryptographic secret key or a key pair, public and private. The token is signed and verified with the secret key (for HMAC symmetric keys), or signed with the private key and verified with the corresponding public key (for RSA asymmetric keys).

like image 122
pedrofb Avatar answered Oct 24 '22 13:10

pedrofb


It is all about signing the token not encrypting the token. The server just verifies the signature, JWT is not encrypted (unless you implement it). Dont store sensitive data in the token, cause it is not encrypted by default.

like image 38
Amir Sasson Avatar answered Oct 24 '22 14:10

Amir Sasson