jwtapi-gatewayjwe

JWT / Session Cookie Authentication Hybrid


I'm looking for some clarity regarding security concerns with just JWT in our current project.

basically it is working right now like this:

  1. User authenticates with username + password at an authentication Service

  2. frontend gets JWT

  3. frontend can use this JWT in the communication with the backend.

but that seems unsecure for many reasons, so we discussed this so far and had a few ideas to make it more secure:

We just want to be kinda secure in Login/Logout AND be scaleable in the the future so that there might be X other backends.

apologies for any errors, english is not my first language and i'm happy to answer any questions regarding this.

take care.


Solution

  • You are right that keeping tokens on the front end has some security issues. The current best practice is to try to keep tokens out of the browser altogether. At Curity we have described one possible solution as the Token Handler pattern. It adds a bit more complexity to your system but enables you to use secure sessions on the front instead of any tokens. We have provided a few implementations of the components needed by the Token Handler, you can have a look at how to run our complete example here: https://curity.io/resources/learn/token-handler-spa-example/

    As to your first idea, if you want to implement blacklisting tokens, then you're in fact implementing sessions, and you're better off with cookies and plain old HTTP sessions. JWEs protect the contents of your token but an attacker can still steal such a token and use it to call your APIs.