Could the signature of a JWT/JWS be used as a globally unique identifier?
In other words, is a signature on a JWT or JWS always unique?
Continue reading Could the signature of a JWT/JWS be used as a globally unique identifier?
Category Archives: JWT
Will a verified JWT token always ensure that user is authenticated when signed by an authentication server?
Prerequisites
I have a client application (CA), an authentication server (AS) and a resource server (RS).
The resources on the RS must be accessed and usable only by authenticated users which have the authorization to do so.
The AS and RS … Continue reading Will a verified JWT token always ensure that user is authenticated when signed by an authentication server?
Strong reason to not send refresh token on every request?
I’m creating a backend that supports authentication with JWT tokens. I’m using the classic access token / refresh token combo.
the access token is valid for 5 minutes and allows the users to perform some actions. It’s not checked against … Continue reading Strong reason to not send refresh token on every request?
Session based CSRF Tokens – What value do i use with JWT?
The Double Submit Cookie CSRF Token pattern is a stateless technique that doesn’t require storage or a database. However, it’s vulnerable to session hijacking attacks and sub-/sibling domains that are susceptible to XSS or HTML injection. … Continue reading Session based CSRF Tokens – What value do i use with JWT?
Data Model for JWT claims
I’m implementing a JWT-based REST API for the first time and I’m trying to figure out what information to send back on the response entity when a user logs in. The strategies I am considering are:
Just an access token, encoded with claims… Continue reading Data Model for JWT claims
Decorating headers after JWT authentication
I’m toying with the idea of terminating JWT after gateway ingress, and looking to see what sort of attack patterns would result.
Prerequisites:
Communication between services would use mTLS to encrypt and verify traffic
The target platfor… Continue reading Decorating headers after JWT authentication
A Hybrid Authentication method. (JWT, MFA, Cookies, Sessions) [closed]
I am currently creating an app to help with retail management. As you may be able to imagine, user authentication is of great importance as the app will store all kinds of sensitive information such as financial records, inventory status, … Continue reading A Hybrid Authentication method. (JWT, MFA, Cookies, Sessions) [closed]
How to pass authentication to iframe from host app?
I will implement a chat bot web app that can be used on other websites. I plan to to host this app in www.mysite.com and customers will be able display this chat bot inside an iframe on their sites. Website owners that want to use my chat … Continue reading How to pass authentication to iframe from host app?
Does a web access token need to be encoded?
Our sports site is unlocking one of its main services so it is no longer necessary to sign up to use it for a few days. Anonymous users would have access for a few days, then we would lock them out and prompt them to sign up.
I figured out… Continue reading Does a web access token need to be encoded?
Is storing access token in private data, refresh token in http-only cookie safe?
Backend: Django / Django Rest Framework, would be hosted at GCP k8s
Frontend: Angular, would be hosted at some CDN e.g Vercel
Authentication: JWT (https://github.com/jazzband/djangorestframework-simplejwt)
The frontend and backend would … Continue reading Is storing access token in private data, refresh token in http-only cookie safe?