Is it ok to store user credentials in the JWT
Is it ok to store user credentials (username / password) in the JWT (so sign it and verify the resulted token later)?
I heard that
No, it is not secure to send a password in a JWT. This is because the JWT claims are simply encoded and can easily be decoded by anyone that sees them. It is not secure to store any sensitive information in a JWT that returned to a user
but I don't know why does the JWT website recommends using it for authentication purposes then:
When should you use JSON Web Tokens?
Here are some scenarios where JSON Web Tokens are useful:
Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains
The JWT is the result of the authentication. For example
- User sends his credentials (e.g. username/password) to an authentication service. It could be a third party one or one inside your monolith or your own microservices dedicated to authentication.
- The service validates username-password. If authentication success it returns an JWT that represents that the user is already authenticated, in other words he is who claim he is. This JWT could contain a payload without sensitive information (don't store the password here).
- The user sends another request to a service business with the JWT. If the JWT isn't expired and is not corrupted (the sign is still valid) then the service could trust in its JWT. Maybe this task will be delegated to an authorization service.
What is inside the JWT token?
Well, the simplest JWT contains information about the sign (I can't enter in much detail here because I'm not a security expert) that allows to check if the sign has been corrupted when a request with the JWT is received.
This information can be verified and trusted because it is digitally signed
Besides that, the JWT allows to send a payload.
More formally, the JWT is composed by:
- Header: type of the token + hashing algorithm being used
- Payload: Claims are statements about an entity (typically, the user) and additional metadata.
- Signature: The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
For example, if I send a request to a authentication service with my credentials username:password being gabriel:giussi, it will check these credentials and if they're OK it could create the following JWT:
Then with every request I will then the encoded JWT that contains my username and the service will
- Perform authorization (What Gabriel is authorized to do?) if the JWT sign is valid.
- Ask me to login again if the JWT has expired
- Return an authentication error if the sign is broken.
- Don't understand how to use this api
- Authorize.net refund Transaction error: has invalid child element 'payment' in namespace
- Parsing nested stringified json objects
- Using Jolt specs to remove all array elements if a field has one of the values
- is there a method to check if a QJsonObject object contains specific attribute?
- How we can plot week over week overlay in vega lite?
- How retrieve a parent branch based on a value?
- Flattening nested attributes in Jackson
- How to solve an OverflowError when exporting pandas dataframe to JSON
- Variable was never mutated...or Constant being used before initialized
- JSON API transfer data in Swift
- Having trouble decoding JSON file from GitHub API swift 5
- Swift 5 Parse multi level JSON
- Decoding JSON error "but found a dictionary instead"
- Swift weather data from Openweathermap API?
- filling out an html img tags 'src' form based on information derived from API javascript code
- How to Subtract Objects in jq?
- How to force System.Text.Json serializer throw exception when property is missing?
- Set Select2 selected values with JSON string
- is form enctype "application/json" available?
- How to initialize QJsonObject from QString
- Parse JSON efficiently
- Swift JSON Type Mismatch
- The JSON data couldn’t be read because it isn’t in the correct format
- Data Fetching from a Static JSON File / REACT
- Validate JSON against XML Schema (XSD)
- Big JSON file in Swift
- How specify default a timezone for dates with a JsonSerializer?
- Trying to decode value in swift 4.2 using its position in the JSON structure
- JSON iOS not parsing