JWT & OAuth2 - Does the server store the token? & How are they Secure/Hacker Safe?

Question

I am a complete noob when it comes to security, authentication strategies. So I was reading this article about "Token Based Authentication": https://scotch.io/tutorials/the-ins-and-outs-of-token-based-authentication

I have 2 questions:

1. I don't understand why a middleman(or a hacker) would not be able to see the token being sent by the client and use the same to impersonate as that client/person to retrieve resources? What makes JSON Web Tokens / OAuth2 based authentications safer in that sense? If we use a onetime-use-only token every time, I would understand that even if the hacker can read the token he will not be able to use it for another request. But as the token stays the same until it expires, how is that a safer authentication strategy?

2. How does the server know that the token sent by the client is valid i.e something that the server exchanged with the client during login. Does the server store the token generated in a database or somewhere and keep updating the "last accessed timestamp" or something and keeps removing the tokens where last_accessed_time is > 1hour ago, to keep expiring it after 1 hour of inactivity?

Answer 1

I don't understand why a middleman (or a hacker) would not be able to see the token being sent by the client and use the same to impersonate as that client/person to retrieve resources?

JWT does not protect you to a man-in-the-middle (MITM) attack. If an attacker gets a valid token, can effectively impersonate. Even if the content is encrypted.

JWT should be used with a SSL/TLS connection to avoid MITM

What makes JSON Web Tokens / OAuth2 based authentications safer in that sense?

JWT is a token format, and oauth2 is a protocol. oauth2 can use jwt. Oauth2 is safer to the user using a third party site because credentials are only sent from the user to the main site, then the site issues a token that can be used by the third party site to authenticate user. The third party site never see the user credentials

But as the token stays the same until it expires, how is that a safer authentication strategy?

Read above. You need to protect your tokens to not be stolen: Mainly use HTTPS, or mitigate its effects: store in cookies with HttpOnly (if you do not need to access JWT content in client side), set expiration time short, rotate tokens...

How does the server know that the token sent by the client is valid i.e something that the server exchanged with the client during login.

The third part of a JWT like hhhh.pppp.ssss is the signature. The signature is performed with server private key over the header and payload (hhhh.pppp), an protects the content. If an attacker alters the content or the signature, the server will detect it verifying the signature and will reject the authentication.

Does the server store the token generated in a database or somewhere and keep updating the "last accessed timestamp" or something and keeps removing the tokens where last_accessed_time is > 1 hour ago, to keep expiring it after 1 hour of inactivity?

It is not needed. The signature is packed in the token itself (ssss), therefore it is said that JWT is self-contained

The server has a cryptographic secret key or a key pair, public and private. The token is signed and verified with the secret key (for HMAC symmetric keys), or signed with the private key and verified with the corresponding public key (for RSA asymmetric keys).

Answer 2

It is all about signing the token not encrypting the token. The server just verifies the signature, JWT is not encrypted (unless you implement it). Dont store sensitive data in the token, cause it is not encrypted by default.