Collaborate Disseminate
is it safe to read the jwt token before validating it?
my colleagues are implementing a "check jwt for aud value and route accordingly".
this means that:
First payload is being read by the code of our application
Then route to t… Continue reading is it safe to read the jwt token before validating it?
As I understand it, the basic idea is that you have accessToken (15 minutes), and refreshToken (1 week), a few moments before the accessToken expires, you need to ask the server for a new accessToken.
If the user closed the browser before … Continue reading Refresh tokens in a web environment
Is it logical or recommended to validate the presence of a specific scope and/or claim against the issuer of the JWT?
For example, we will have a couple of different issuers of JWTs:
One for employees, controlled by Active Directory
Anoth… Continue reading JWT – validate scopes and/or claims against issuer
It’s been quite a few years since the last time I did web development and I realized many things have changed: instead of stateful server-side sessions with authentication cookies and CSRF tokens now we have localStorage/sessionStorage, Si… Continue reading JSON Web Token splitting
So I am using JWT authentication, then I want to implement authorization. Some resources only available for users with admin role for example.
If I put the role in the token, is it a good idea to take that as a truth without double checkin… Continue reading Should I fully trust JWT content
It seems like signing ID Tokens invites misuse.
As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens.
However, the ID token is still signed, and in the case… Continue reading What’s the purpose of signing OIDC ID Tokens if they shouldn’t be used as bearer tokens
Lets say my web client gets a JWT token for authentication so it can make request to the API server. Now, I’d like to create a public API (which will basically be the same as the api for the web client with minor changes) so people can mak… Continue reading Using the same JWT token for the web and public API
I am developing a mobile and web application that need the user to re-authenticate if they have been idled for a specific duration.
The authentication flow is just a typical OAuth password grant type with a combination of JWT accessToken a… Continue reading Stateless session inactivity timeout using refreshToken and accessToken
I am trying to figure out if the solution I am suggesting is valid for both XSS & CSRF protection,
I would like to store the JWT in an httpOnly & secure cookie and not in local storage,
when the user successfully logs in, he will g… Continue reading JWT cookie with CSRF token as a claim inside the JWT
Scenario
I’m working in the oAuth flow for a new app, which is currently laid out like this
A React web App
A Rails backend
FusionAuth as an Authorization server
We are using the oAuth2.0 authorization code grant flow:
To login, the brow… Continue reading When using a cookie to header CSRF protection with JWTs, how to implement refresh tokens?