In asp.net boilerplate, I'm wondering, why there is an encryptedAccessToken in the api/TokenAuth/Authenticate method? there is no documentation on this.
Also, the JWT is 1 day valid so:
-is it secure to have this long time JWT?
-what happen after JWT expiry? the client will have to re-login? there is no refresh token.
Related
I am relatively new to REST Framework for django. I was creating a simple app to login the users and I tried using Token Authentication. My concern is the tokens are created for each users and they are fixed (Do not change with time) and basically 1 user has 1 token mapped to him/her.
In case of a database breach or when the token is compromised wouldn't it be very easy for the hacker to just login my sending the authorization header?
I have some experience with django default session authentication which seems much more secure when comparing to the htoken auth of REST Framework. REST Frameworks implementation seems a little flawed or am I missing something?
Which one should I use in a production application?
(Note:- I am asking specifically for Rest Framework's default implementation of token auth not general token authentication.)
I understand that a resource server will make a call to the authentication server with a token to confirm that it is valid.
However is this token the same Cookie: JSESSIONID?
Oauth 2.0 Bearer tokens are of two types - General tokens(e.g like java uuid string) and JWT tokens.
General tokens will be stored in the authorization server token store along with their scopes, expiry, client ID, UserId and other related information. When client sends request to resource server, Resource server need to reach out authorization server(Spring oauth 2.0) for bearer token validation.
JWT tokens contains information about its expiry along other user information and self sufficient to work in stateless sessions, Here we don't need to validate oauth 2.0 JWT tokens from authorization server.
JSESSIONID Cookie is created by spring security by default, its not related to Bearer token authorization.
Well the standard solution is an introspection request, as in step 14 of this post: https://authguidance.com/2017/09/26/basicspa-oauthworkflow/
Not all solutions are standards based though - and I always recommend capturing the HTTP traffic
I have developed a oauth2 server in spring boot with jwt token , I am facing difficulty in logout .I have followed this link http://www.baeldung.com/spring-security-oauth-revoke-tokens
After logout if give the token in header and hit the /user it is giving all the user info instead it should throw and error saying the user is logged out
Such a logout is not possible with JWT tokens.
JWT token is self-contained, which means that all information regarding the authentication are in the token itself. If you want to check, if a user is logged in, you just need to check the signature in the JWT token and the token expiration time. No communication with a server is required.
If you want to logout a user with JWT token, you need to delete the JWT token on the client side. And preferrably, the expiration time of JWT tokens should be rather short and the client should e.g. use refresh tokens to get new tokens.
To read more about JWT tokens, check out JWT.io.
Moreover, the guide you were using should not work for you, as it explicitely states:
Also note that this article only covers the standard token implementation in the framework, not JWT tokens.
What is the best authentication solution for a WebAPI/AspNet.Identiy 3.0-*/SPA architecture?
It seems that OAuth 2.0 JWT bearer token is a better approach vs coockies. But I could not find up to date examples with AspNet.Identity 3. Does anyone knows what to do in order to generate JWT with Identity?
I'm considering using authenticated encrypted JWT tokens to authenticate / authorized access to an ASP.NET Web API application.
Based on what I've read so far, it seems to me like it is an option to generate JWT tokens from a token service and pass them to Web API via the http authorization header.
I have found some good code examples on implementing the JWT creation and consumption (Pro ASP.NET Web API Security by Badrinarayanan Lakshmiraghavan).
I'm trying to understand if I need a full OAuth implementation to support this, or if I can simply pass the tokens along in the auth header.
Assuming the tokens are properly encrypted and signed, is there any inherent security flaw in keeping things simple without having to use OAuth?
Trying to keep things as simple as possible for my needs without compromising security.
It is not that you must always OAuth when you use tokens. But given the fact that your application is a JavaScript app, you would be better off implementing a 3-legged authentication. Thinktecture identity server does support implicit grant. But if the client application getting access to the user credential is not a problem for you, your JavaScript app can get the user ID and password from the user and make a token request from a token issuer ensuring the user ID and password are not stored any where in JavaScript app (including DOM). This request for token can be a simple HTTP POST as well and it does not need to be anything related to OAuth. If your end user will not enter the credentials in the client application, OAuth implicit grant is the way. BTW, you don't need to encrypt JWT. TIS issues signed JWT and that will ensure token integrity. But if you are worried about the confidentiality, you can use HTTPS to both obtain the token as well as present the token.
It looks like you don't really need auth delegation as the one provided by OAuth. Isn't HMAC authentication enough for your scenario ?. With HMAC, you will not have to deal with JWT at all. This is an implementation I made for HMAC authentication for .NET
https://github.com/pcibraro/hawknet
Pablo.