Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

The verification flow of json web based token on server side

Tags:

jwt

digital-signature


I am trying to understand the concept of web tokens (json web tokens to be specific). I can't however find any information on how tokens are verified on the server.

A= CLIENT
B= SERVER

The flow:

1) A -> B: Client sends username and password
2) B: Server checks them against DB records and if they match it creates; first, signature using: base64UrlEncode(header).base64Url(payload), #secret# and then token using: signature.payload.secret
3) A <- B: Server sends back token to client
4) A -> B: Client sends request to access certain URL with token in header
5) B: Server decodes header and payload, uses #secret# to create another digital signature and compares it with what was sent in to ensure integrity


If above flow is correct, it begs following questions:

1) Is there a SSL wrapped around it ? If not anyone could hijack the token and send it to server and user impersonate the client
2) In step 5, there is only integrity checked, the payload data decrypted from token is not verified against DB (for example username), should it be verified or once integrity is confirmed we can be certain the token is valid and application can grant access to the client ?
3) Is #secret# only known to server and used only to validate payload was not tampered with ? I'd presume so, otherwise user impersonation could happen.

like image 488
Pawel Avatar asked Oct 11 '17 15:10

Pawel

1 Answers

The flow you described is correct. You have practically answered your own question.

1) Is there a SSL wrapped around it ? If not anyone could hijack the token and send it to server and user impersonate the client

Yes, it is, the token must be protected because is the proof-of-authentication. It should only be interchanged trough a SSL/TLS connection

2) In step 5, there is only integrity checked, the payload data decrypted from token is not verified against DB (for example username), should it be verified or once integrity is confirmed we can be certain the token is valid and application can grant access to the client ?

The token is signed with server's secret key so any alteration will be detected by server and the token would be rejected. If the verification is successful you can use payload safely.

3) Is #secret# only known to server and used only to validate payload was not tampered with ? I'd presume so, otherwise user impersonation could happen

Yes, the secret key must be "secret". If you use a symmetric HMAC key, it used to create and verify tokens,so if you share it, anyone vould create tokens

like image 91
pedrofb Avatar answered Oct 10 '22 10:10

pedrofb
Sign in to Comment

Related questions

How to Validate JWT token generated from one app in another?
What's the best way to mix passport-facebook and passport-jwt?
Lazy load components requiring authentication with react-redux
Laravel 5.3 - Social login doubts
Authorization for JWT bearer in Swashbuckle .NET Core 2
Partial JWT token at token refresh
JWT Validation in HAProxy
Which JWT Refresh Strategy is safer?
HttpOnly cookies not sent by request
Keycloak add extra claims from database / external source
Save jwt to local storage
Angularjs and slim framework JWT authentication and token refresh flow
Process JWT token using JWKs Endpoint
How to verify JWT signature using a token and public key in Java
jwt served via httponly cookie with someway to find out is-logged-in
ASP.NET 5 OAuthBearerAuthentication: The following authentication scheme was not accepted: Bearer
Keycloak: Authenticate user with a custom JWT
Generating a JWT using an existing private key and RS256 algorithm
Facebook Login With WP JWT Auth

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!