Collaborate Disseminate
I see many articles about how to invalidate JWT tokens but none about when to invalidate them before their expiry.
When a user resets there password being an obvious time.
What are the best practices here?
Continue reading What conditions should trigger an invalidation of JWT Tokens?
A recent penetration test has discovered that my org is using the JWT authentication scheme that allows the ‘none’ algorithm. How exploitable is this in the real world?
I understand that the issue can be used by an attacker to change the p… Continue reading How exploitable is a none JWT?
I’ve recently learned about JWT tokens, but I don’t understand why I need them. Considering:
HTTPS is enabled, thus the access token can’t be stolen along the way. it’s encrypted.
If at anytime, the hacker finds a way to read incoming JSO… Continue reading How does a JWT refresh token improve security?
I have the following setup with a keycloak authentication server and an application:
user logs in on application client side, send un/pw to server
application server sends un/pw to keycloak server for a token
keycloak server sends a token… Continue reading Why does keycloak use HS256 algorithm to sign access token when client settings specify RS256?
On this https://jwt.io/ application, you can paste a jwt and it returns you a public key. How is this public key generated, and how is it exported? Is it contained inside the JWT, and if it is, then how? In raw format?
It seems there is a large divide as to wether or not you should have JWT or Session ID for managing user session on WebApp/API (for a web front end or/and a mobile app).
It seems that the consensus goes to not using JWT (1,2,3,4) and keep… Continue reading Are JWT still not recommended for sessions?
I want to create Angular 9 + Spring Boot application with strong security complaint to PCI-DSS security standard.
Which security protocol is preferred for user sessions in order to have high security when we use Angular and Spring Boot:
… Continue reading Which Authentication mechanism to choose for PCI-DSS system
Say I have three components in a system:
An identity service, hosted at identity.mydomain.com
A single page application, served from app.mydomain.com
An API, protected by requiring a bearer token signed by identity.mydomain.com
In the … Continue reading Taking advantage of subdomains for refresh token rotation in SPAs
My server sets cookies with the JWT and refresh tokens on login, and likewise when the refresh route is hit. If a valid JWT cookie is found in the request for these routes, should a new one be issued? If so, should the old be blacklisted? … Continue reading Should login/refresh authentication routes return new tokens if an existing, valid token is present?
I am looking into using OpenID Connect as a means of authentication across potentially multiple microservices. Consider the following chain of events:
Client successfully obtains an access token, refresh token, and ID token from /authori… Continue reading JWT Propagation Across Services