Collaborate Disseminate
Without giving too many details away, let’s say that I’m auditing an API that:
Has access-control-allow-credentials: true
Has access-control-allow-origin: *
Needs JWT set in Authorization header for request to all endpoints
With this sce… Continue reading Is it possible to steal a cookie without HttpOnly via CSRF?
I’m writing a simple website to help me grasp cybersecurity practices and I decided to stick to JWT tokens, but I have no idea about what I should write on the payload.
I’ve seen on many JWT token generators "Claim email, domain, etc…. Continue reading How should JWT tokens be made?
Let say you have a REST API, which you want to use as the backend for React application. The application supports user login. You use JWT authorization to make that REST API stateless. Now the problem I have with that is that the JWT expir… Continue reading REST API authorization
I am evaluating JWT as authentication mechanism for an API. The idea is to use JWT as API key.
One thing I want to implement is revoking API keys. Since revoking involves a state change in my backend, I am losing the main advantage of JWT,… Continue reading Authentication using JWT signature, without header and payload
Let’s say I’m building a web application (let’s focus on the backend side) that is B2C. Users should be able to register with my application, using a SSO provider like Google or Facebook. Once they’re registered, they can access other endp… Continue reading SSO and/or JWT: make sure web app’s endpoints are protected
I’m building a public HTTP JSON API using API Gateway with ID token authentication.
I now need a server that acts on behalf of users. Users message that server using a third party (think Signal or WhatsApp) and the server calls some API me… Continue reading OAuth2/Cognito: Let trusted server act on behalf of user
I’ve written an application in NodeJS which essentially only performs a login:
You send your username/password, and you retrieve an JWT (JSON Web Token).
Those tokens are being signed by a private key. Using HMAC, these tokens can be verif… Continue reading How do you share private keys for signing e.g. JWTs inside Docker-Containers?
I’ve read that JWT tokens are stateless and you don’t need to store the tokens in the database and that this prevents a look up step.
What I don’t understand is that according to RFC 7009 you can revoke a token. Let’s say I have a web site… Continue reading If JWT tokens are stateless how does the auth server know a token is revoked?
I am used to using JWTs so when I needed the same behavior but with no plaintext user data I looked at JWE. JWE is very similar to JWT; however, I did not see the exp, nbf or iat fields which limit the time the message is valid for (preven… Continue reading How to prevent replay attacks with JWE?
In the node.js express.js framework there is middleware support. Let’s assume I have two middleware – the first one, which verifies whether the JWT token is legit and not tampered with and the second middleware which doesn’t verify anymore… Continue reading Can the data between Express.js middleware be manipulated/tampered in any way?