I have a question on JWT on the security aspect. Consider X application using JWT as their security in their Gateway. And this token is valid for 3 mins from origin.
So scenario as follows:
X application login in UI end. Hence the UI call has to go to the gateway first and get the JWT token created. Hence the response sends back to UI. So further requests from UI are going with JWT token to the service layer. This time Gateway validates the token which holds in the header of the requests. And it allows further to the service layer.
This above all process happening in 1st minute of token and so the JWT token exposed in the UI end by simply doing dev tool, we can able to find.
Now anybody who has the API service URL can use this JWT token and access our API Services right? isn't it a security issue. ? or any way to address this issue?
With the assumption that someone has stolen a JWT token from the client.
Your JWT token should be unique in the sense that it holds information that can only authenticate a single user/entity. This means that this token authorizes actions that can be done by that single user/entity.
On top of that you should only allow origins that you trust in your gateway/api this can be done by CORS and CSRF. which will render the token unusable except by your client (UI) origin.