JWT Best Practices

Security / Developement

Tags: Serverless / API Gateway / Lambda / JWT / API Security

Introduction

JSON Web Tokens are used in the OAuth and OpenID to connect systems together. A lot of time they are used in way that make them vulnerable to many different attacks. For example, many reference implementations show the JWT token being used directly in the browser but this may leave the application subject to replay attacks if the token is obtain by a third party actor. Your site is not secure because it used JWTs, it is secure because of how you use the JWTs.

JSON Web Token (JWT, pronounced “jot”) is a safe and compact way of passing a JSON message between two parties as defined in RFC 7519 .

1. JWTs as Access Tokens

JWTs contain data and are access by-value. This should make you consider a few things:

• Do not use JWT data in your applications. This will create down stream dependencies that will make your app more difficult to maintain.
• Use an opaque token outside of your infrastructure (such as redis)where the JWTs are only available to your APIs.
• Do not put any valuable data about your API or users in the token.

If Access is provided with Bearer tokens, then change the Bearer token into a Proof of Possession token (a PoP token) by adding a confirmation (cfn) claim. Validated the fingerprint as part of the request.

2. Which algorithms

The most recommended algorithm is ES256 (The Elliptic Curve Digital Signature Algorithm (ECDSA) using P-256 and SHA-256). For symmetric keys, use HS256 (HMAC using SHA-256).

3. Validate the token

Always validate an incoming JWT. You should definitely validate a token if using the implicit flow but instead use code authorization code flow. It is safe and considered best practices.

4. Check the issuer

Best practice is to check if the token contains the iss claim then confirm that any cryptographic keys used to sign or encrypt the token actually belong to the issuer.

5. Check the audience

It is “best practices” to use the URL to confirm the Access Tokens.

6. Tokens usage

JWTs are used as Access Tokens or ID Tokens. You can verify by doing the following:

• Check the scope of the token.
• Verify the tokens has different values of the aud claim.

7. Expiration, issued time and clock skew

JWTs are hard to revoke once issued. You should use as short expiration time for your tokens as possible (preferably minutes or hours).

8. Signature

Signatures require a keys to validate. It is best practice to use an endpoint and dynamically download the keys. This allows for key rotation.

9. Symmetric signing

Use and asymmetric key for signing. This will increase security.

10. Pairwise Pseudonymous (PPID)

Use the Pairwise Pseudonymous to obfuscated user ID.

11. Do not use JWTs for sessions

These articles explain the situation:

• Stop using JWT for sessions .
• Stop using JWT for sessions, part 2: Why your solution doesn’t work .

If you are build a serveless solution, store JWT tokens in Redis as the data (Not the ID) and check them against every request via the session cookie. This way you can enforce token timeouts, count invocations, and manually expire tokens.

Conclusion

Bottom line, It’s how you use the JTWs that make them safe. Stay up to date by reviewing these articles.

• Why JWTs Suck as Session Tokens

• JSON Web Token Best Current Practices

• JSON Web Algorithms (JWA)