Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What to store in a JWT?

How do you guys deal with the same user on multiple devices? Won't data such as {admin: true} become stale except for the device that changed it?

Should this even be in a JWT? If not, and we resort to only putting the user ID, won't that be just like a cookie-based session since we store the state on the server?

like image 631
user1164937 Avatar asked Aug 11 '16 13:08

user1164937


People also ask

What should a JWT contains?

Anatomy of a JWT Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.

Do JWT tokens need to be stored?

A JWT needs to be stored in a safe place inside the user's browser. Any way,you shouldn't store a JWT in local storage (or session storage). If you store it in a LocalStorage/SessionStorage then it can be easily grabbed by an XSS attack.

What is the best place to store JWT?

Use cookies to store JWT tokens – always secure, always httpOnly, and with the proper same site flag. This configuration will secure your client's data, it will prevent XSS and CSRF attack and also should simplify web application, because you do not have to care about using tokens manually on frontend code anymore.

What is JWT used for?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.


1 Answers

The JWT RFC establishes three classes of claims:

  • Registered claims like sub, iss, exp or nbf

  • Public claims with public names or names registered by IANA which contain values that should be unique like email, address or phone_number. See full list

  • Private claims to use in your own context and values can collision

None of these claims are mandatory

A JWT is self-contained and should avoid use the server session providing the necessary data to perform the authentication (no need of server storage and database access). Therefore, role info can be included in JWT.

When using several devices there are several reasons to revoke tokens before expiration, for example when user changes password, permissions or account deleted by admin. In this case you would need a blacklist or an alternative mechanism to reject the tokens

A blacklist can include the token unique ID jti or simply set an entry (sub - iss) after updating critical data on user (password, persmissions, etc) and currentTime - maxExpiryTime < last iss. The entry can be discarded when currentTime - maxExpiryTime > last_modified (no more non-expired tokens sent).


Registered Claims

The following Claim Names are registered in the IANA "JSON Web Token Claims" registry established by Section 10.1.

  • iss (issuer): identifies the principal that issued the JWT.
  • sub (subject): identifies the principal that is the subject of the JWT. Must be unique
  • aud (audience): identifies the recipients that the JWT is intended for (array of strings/uri)
  • exp (expiration time): identifies the expiration time (UTC Unix) after which you must no longer accept this token. It should be after the issued-at time.
  • nbf(not before): identifies the UTC Unix time before which the JWT must not be accepted
  • iat (issued at): identifies the UTC Unix time at which the JWT was issued
  • jti (JWT ID): provides a unique identifier for the JWT.

Example

{
    "iss": "stackoverflow",
    "sub": "joe",
    "aud": ["all"],
    "iat": 1300819370,
    "exp": 1300819380,
    "jti": "3F2504E0-4F89-11D3-9A0C-0305E82C3301"
    "context": {
        "user": {
            "key": "joe",
            "displayName": "Joe Smith"
        },
        "roles":["admin","finaluser"]
    }
}

See alternatives here https://stackoverflow.com/a/37520125/6371459

like image 66
pedrofb Avatar answered Sep 26 '22 03:09

pedrofb