-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT shouldn't be recommended for secure sessions or authentication #17
Comments
No thoughts or comments on this? Security is mentioned in the course material a few times and many design decisions are discussed, but this one isn't really addressed. I feel as though the dangers of caching data client side should be acknowledged in the material, even if it's signed with a private key. |
What's the problem about JWT in this project ? |
I didn't say it needed to be removed. It just isn't best practice and can be potentially misleading to newer developers.
That's what this issue is.
Ok. Use some kind of session ID instead. This was also included in the link in the original issue. |
Misleading ? I don't understand in what. It's an authentification method as session token. With it's own pros and cons. |
Did you even read the link in the original issue post?
Not sure what's so hard to understand about this. But as a security researcher, I'd love for you to continue using this design pattern so that I can continue to collect bug bounties. |
I totally understand about this and it point out what I said there in the original post they are not easily revocable that's by design, and that's also in the design of https certificate. |
@shombo - Just a suggestion - maybe make a pull request that illustrates doing the authentication a different way? That way, people can try it out on their own. Just a thought. |
That isn't really the issue. The issue is trusting cached user data provided by an untrusted source. EDIT: This is also part of the issue.
SSL certificates are easy enough to invalidate since they are validated by a third party. Additionally, they are not presented by the client. They are presented TO the client who is responsible for validating them with a CA.
Agreed. But why even allow this possibility? If you're using some session ID based auth instead, there's no untrusted data to sign and then implicitly trust. If your entire security model relies on protecting a single key, you're doing it wrong.
This is not entirely precise. You don't need to be authenticated to produce a valid token. If you have the signing key, for example, you can then produce arbitrary tokens with arbitrary user data. This does not require actual authentication.
I haven't really seen a single pro so far for using untrusted cached user data as a valid authentication method. The only thing that approaches a pro is the stateless nature of them, but that is somewhat negated by the security vulnerability that it creates. All I'm saying is that this isn't a totally secure authentication mechanism and that fact should at least be mentioned in the course material since security is addressed a couple of times. I understand why it was included in the course content and JWT is a great resource to be aware of, I just don't think that it's a great solution for authentication. |
If I get a moment to implement this, I'll definitely submit a PR or at least present my own fork or something pending review of licensing and whatnot. |
This time you argument :) But it does not differ too much in the way that in HTTPS case Client check based on CA as you mentionned which are the certificate that you choose to trust. In the case of JWT as authentification token you choose to trust your authentification providers (which in most of the case is you)
It's like having a door without lock inside your house. It's not a problem if your house is secure. But if it's unsecure it can become worse.
|
If you don't consider a relying on a single key as a single point of failure (I do), sure. But then again, a well designed infrastructure will have fail over and redundancy mechanisms in place to prevent a single auth server from halting all operations. But that isn't even the point nor is it the design here. This project in monolithic and handles the authentication itself along with all of the other web server features, so by design, it is already a single point of failure. But I also believe that this part of the conversation is getting a bit beyond the scope of the course.
You're relying on ultimately untrusted data. This, again, is not best practice for the entirety of authentication. And, as previously mentioned, they are irrevocable without implementing state, completely undermining the only legitimate argument for JWT.
What you're describing is a clear violation of defense in depth.
JWT, by itself, isn't a security concern. It's the misuse of JWT that is a security concern. If you're using it for session storage, you're using it incorrectly. This is indicated by the JWT authors themselves:
Not session storage. Here's another blog post from 3 years ago talking about this. This isn't a new argument. |
In case of authentification it's an identity claim like your ID Card is. |
This isn't a bug with the course content, but more an issue with the project design. This link sums up the arguments pretty well.
The text was updated successfully, but these errors were encountered: