Menu
I am new to JWT. I studied a bit about JWT and understood that it is framed as "header.claims.signature".
Consider a simple scenario as follows:
Once authenticated, the server finds the type of customer and I am assuming that the customerId and the roles will be part of "claims" in JWT. Let me know if my assumption is incorrect (or against standard).
The "claims" part of JWT is not encrypted (just encoded). That exposes an easy security hole, where the (service) consumer can simply modify "claims" part of JWT and resend the same with more roles (for which the customer/consumer is not authorized to).
If my understanding/assumption is incorrect, how do we achieve to what I am targeting?
938
Role-based access control allows you to set granular access to your site, or to specific pages. We use JSON Web Tokens (JWT), roles, and redirect rules to grant access to those sections.
The server which is giving out (and signing) the JWT is commonly called an authorization server and not just an authentication server, so it makes sense to include role information (or scope) in the JWT, even though they're not registered claims.
Both API key and JWT are used for authentication and authorization, but they do it differently. Authentication allows the user or application to use one or more methods of the API. Authorization defines how they can use those methods.
Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.
When using JWS (header.claims.signature), the "claims" part of the JWT is integrity protected by the signature. So if the "claims" or any other part of the JWT is modified by someone without the proper key, the signature verification on the JWT will fail and the token should be rejected.
66
The claims part of JWT can be verified, but another issue when adding something like roles to claims is the case when you change user roles, but the old token still contains the previous roles assigned to the user. So be careful about it. You can simply keep user identifier in the token and retrieve any other information associated with the user based on your persistence mechanism (databases or anything else).
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
