Is this JWT based authentication method safe?

 

Trying to implement a secure authentication method with JWT for an API which will be consumed for many clients including web (Single Page App), desktop, mobile I've came up with this system:

  • Client calls /auth/login with username and password set
  • After verifying server returns two tokens an auth_token and a refresh_token
  • Auth token is short lived 15 minutes and is used on every following API call
  • Refresh token is long lived maybe a 12 hrs to a week BUT is signed with a secret key in the format user_pass + long_string
  • After the token expires a called to /auth/renew is called
  • The auth token is sent to check how long it's expired (no longer than an hour)
  • The refresh token is sent as well and is validated using the user's password
  • If refresh token isn't expired and the auth token isn't expired for a long time, a new auth token is sent back
  • If the user's password has changed, the refresh token is invalid and the user is required to re-authenticate after their existing short lived auth token has expired

    • While there is a small window for the auth token to be expired and still be valid, and there is calls to the database made; is this an overall secure way to authenticate using JWT and to handle password changes and token refresh?

    Don't try to implement your own authentication infrastructure. Chances you'll get a secure implementation are minimal and now you'll have to maintain all that code also.

    Better use a authorization server from a reputable origin, like Thinktecture IdentityServer or Azure Active Directory and use standard libraries and protocols.

    Some problems I see with your proposal:

  • if you do not sign the access token, what prevents me from changing the claims inside?
  • if you need the user's password to validate the refresh token, you must store it in a way that you can retrieve it in clear text. Passwords should only be stored as a salted hash preventing you from getting to the clear text.
    • 链接地址: http://www.djcxy.com/p/22278.html

    上一篇: 最佳实践微服务授权

    下一篇: 这种基于JWT的身份验证方法是否安全?