Episode 040: 8‐20‐2024 You got the JWT... now what - GluuFederation/identerati-office-hours GitHub Wiki

Title: You got the JWT... now what?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Gabriel Manor - Liechtman, Engineering Leader at Permit.io
• Co-Host: Alexandre Babeanu, CTO 3Edges

YouTube

Description

Once you have obtained a JSON Web Token (JWT), the next steps involve understanding, securely storing, and effectively using it for authentication and communication within your web application. A JWT comprises three parts: the Header, Payload, and Signature. It is crucial to store the JWT securely on the client-side, often in local storage or an HTTP-only cookie, to prevent cross-site scripting (XSS) attacks. For API requests, the JWT should be included in the Authorization header using the Bearer schema. On the server-side, you must verify the token’s signature, check its expiration, and validate its claims to ensure its authenticity and relevance. Handling token expiration through refresh tokens, decoding the JWT to access user information, and protecting your endpoints with role-based access control (RBAC) are essential steps to maintain security. Additionally, monitoring and logging JWT usage are vital for auditing and troubleshooting. Proper handling of JWTs ensures the security and efficiency of your authentication processes, safeguarding your application against potential vulnerabilities.

Homework

• JWTs Aren’t Made for Authorization

Takeaways

• Developers have strong opinions about how to use JWTs for authorization. But is this an indication of chaos? JWTs should not be any more contentious then how we use JSON, right? It's just a signed JSON document. Which brings me to the first point: when most developers say "JWT", what they mean is an access_token enhanced with identity information. Developers don't want to be bothered about OAuth and OpenID security details.

• From the authz vendor perspective, it is agreed that the JWT is input to policy. 3Edges and Permit.io have different ways to define and evaluate policies. But both see a JWT as a way to pass information about a user, which will help them evaluate policies to determine access

• Agreed by all that authz policies should be externalized and declarative. Without policy centralization, SOC and ISO security compliance is less robust.

• Not agreed where the responsibility lies for good JWT security hygiene--like checking the signature, expiration and status of a token. This is made more complex when there are multiple trusted JWT issuers. But trust goes beyond policy--it also impacts JWT signature validation, which requires the current IDP keys.

Livestream Audio Archive

here