Skip to main content
Information Security

Return to Question

added json tag, formatted list
Source Link
edit approved Jan 7, 2015 at 12:52
qbi
edit approved Jan 7, 2015 at 12:52
qbi
  • 1.7k
  • 2
  • 14
  • 28

We are implementing a REST service that requires authentication and authorization. Because of the stateless nature of REST API's, we want to use JWT to make authenticated calls to the API through a token, without the need to hit a database for each API call.

After evaluating the JWT we had some questions:

  1. How do you handle a situation with a compromised token secret which is shared between a client and the server?

    How do you handle a situation with a compromised token secret which is shared between a client and the server?

  2. Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)

    Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)

  3. Is there a way to just logout the compromised client?

    Is there a way to just logout the compromised client?

Background detail: We will use that flow between an iOS app and a Node.js backend.

We are implementing a REST service that requires authentication and authorization. Because of the stateless nature of REST API's, we want to use JWT to make authenticated calls to the API through a token, without the need to hit a database for each API call.

After evaluating the JWT we had some questions:

  1. How do you handle a situation with a compromised token secret which is shared between a client and the server?

  2. Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)

  3. Is there a way to just logout the compromised client?

Background detail: We will use that flow between an iOS app and a Node.js backend.

We are implementing a REST service that requires authentication and authorization. Because of the stateless nature of REST API's, we want to use JWT to make authenticated calls to the API through a token, without the need to hit a database for each API call.

After evaluating the JWT we had some questions:

  1. How do you handle a situation with a compromised token secret which is shared between a client and the server?
  2. Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)
  3. Is there a way to just logout the compromised client?

Background detail: We will use that flow between an iOS app and a Node.js backend.

Tweeted twitter.com/#!/StackSecurity/status/494647647106793472
Source Link
BausNauf
BausNauf
  • 321
  • 1
  • 2
  • 3

Compromised JSON Web Token (JWT) Bearer Token

We are implementing a REST service that requires authentication and authorization. Because of the stateless nature of REST API's, we want to use JWT to make authenticated calls to the API through a token, without the need to hit a database for each API call.

After evaluating the JWT we had some questions:

  1. How do you handle a situation with a compromised token secret which is shared between a client and the server?

  2. Do you logout all your clients and define a new token secret for future requests? (that would be a bad experience)

  3. Is there a way to just logout the compromised client?

Background detail: We will use that flow between an iOS app and a Node.js backend.