Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Roles using JWT

Tags:

jwt

I am new to JWT. I studied a bit about JWT and understood that it is framed as "header.claims.signature".

Consider a simple scenario as follows:

  • A customer gets authenticated
  • Customer may have (one or more) roles of admin, member, registered, guest
  • The server does not maintain any session (and depends solely on JWT for authentication/authorization)

Once authenticated, the server finds the type of customer and I am assuming that the customerId and the roles will be part of "claims" in JWT. Let me know if my assumption is incorrect (or against standard).

The "claims" part of JWT is not encrypted (just encoded). That exposes an easy security hole, where the (service) consumer can simply modify "claims" part of JWT and resend the same with more roles (for which the customer/consumer is not authorized to).

If my understanding/assumption is incorrect, how do we achieve to what I am targeting?

like image 938
user203687 Avatar asked Aug 22 '15 16:08

user203687

People also ask

What are roles in JWT?

Role-based access control allows you to set granular access to your site, or to specific pages. We use JSON Web Tokens (JWT), roles, and redirect rules to grant access to those sections.

Should I include roles in JWT?

The server which is giving out (and signing) the JWT is commonly called an authorization server and not just an authentication server, so it makes sense to include role information (or scope) in the JWT, even though they're not registered claims.

Is JWT used for authorization or authentication?

Both API key and JWT are used for authentication and authorization, but they do it differently. Authentication allows the user or application to use one or more methods of the API. Authorization defines how they can use those methods.

What are the 3 parts of JWT?

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.

2 Answers

When using JWS (header.claims.signature), the "claims" part of the JWT is integrity protected by the signature. So if the "claims" or any other part of the JWT is modified by someone without the proper key, the signature verification on the JWT will fail and the token should be rejected.

like image 66
Brian Campbell Avatar answered Sep 29 '22 13:09

Brian Campbell

The claims part of JWT can be verified, but another issue when adding something like roles to claims is the case when you change user roles, but the old token still contains the previous roles assigned to the user. So be careful about it. You can simply keep user identifier in the token and retrieve any other information associated with the user based on your persistence mechanism (databases or anything else).

like image 26
Hamid Mohayeji Avatar answered Sep 29 '22 12:09

Hamid Mohayeji
Sign in to Comment

Related questions

Authentication between microservice approach
When is JWTSecurityTokenHandler.ValidateToken() actually valid?
UseJwtBearerAuthentication does not get User.Identity.Name populated
Django Rest Framework JWT Unit Test
How to encrypt JWT security token?
NullInjectorError: No provider for JwtHelperService
Validate Google Id Token
How to authenticate a POST request from a chrome extension to my app with JSON web tokens?
ASP.NET Core WebAPI Cookie + JWT Authentication
Should I use JWT or Basic Token authentication in Django Rest Framework?
Significant differences between Cookies and JWT for native mobile apps
How to verify firebase ID token with PHP(JWT)?
Authenticating the request header with Express
Angular 2 Failed to execute open on XMLHttpRequest: Invalid URL
How to sign a JWT using RS256 with RSA private key
JWT (Json web token) Vs Custom Token
Using AspNetUserTokens table to store refresh token in ASP.NET Core Web Api
Spring Boot Unit Tests with JWT Token Security
Payload error in jsonwebtoken
Oauth2 Implicit Flow with single-page-app refreshing access tokens

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!