Collaborate Disseminate
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?
I’m trying to create a mobile app which helps to connect with my mobile app. While going through authentication I used JWT. While authenticating it, it returns access token and refresh token to the client but if both of them are sniffed so… Continue reading How to send JWT Access token with requests without being sniffed?
is it safe to read the jwt token before validating it?
my colleagues are implementing a "check jwt for aud value and route accordingly".
this means that:
First payload is being read by the code of our application
Then route to t… Continue reading is it safe to read the jwt token before validating it?
As I understand it, the basic idea is that you have accessToken (15 minutes), and refreshToken (1 week), a few moments before the accessToken expires, you need to ask the server for a new accessToken.
If the user closed the browser before … Continue reading Refresh tokens in a web environment
Is it logical or recommended to validate the presence of a specific scope and/or claim against the issuer of the JWT?
For example, we will have a couple of different issuers of JWTs:
One for employees, controlled by Active Directory
Anoth… Continue reading JWT – validate scopes and/or claims against issuer
It’s been quite a few years since the last time I did web development and I realized many things have changed: instead of stateful server-side sessions with authentication cookies and CSRF tokens now we have localStorage/sessionStorage, Si… Continue reading JSON Web Token splitting
So I am using JWT authentication, then I want to implement authorization. Some resources only available for users with admin role for example.
If I put the role in the token, is it a good idea to take that as a truth without double checkin… Continue reading Should I fully trust JWT content
It seems like signing ID Tokens invites misuse.
As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens.
However, the ID token is still signed, and in the case… Continue reading What’s the purpose of signing OIDC ID Tokens if they shouldn’t be used as bearer tokens
Lets say my web client gets a JWT token for authentication so it can make request to the API server. Now, I’d like to create a public API (which will basically be the same as the api for the web client with minor changes) so people can mak… Continue reading Using the same JWT token for the web and public API
I am developing a mobile and web application that need the user to re-authenticate if they have been idled for a specific duration.
The authentication flow is just a typical OAuth password grant type with a combination of JWT accessToken a… Continue reading Stateless session inactivity timeout using refreshToken and accessToken