JSON Web Tokens are used in the OAuth and OpenID to connect systems together. Alot of time they are used in way that make them vulernable to many different attacks. For example, many reference implemenations show the JWT token being used directly in the browser but this may leave the application subject to replay attacks if the token is obtain by a third party actor. Your site is not secure becuase it used JWTs, it is secure because of how you use the JWTs.
JSON Web Token (JWT, pronounced “jot”) is a safe and compact way of passing a JSON message between two parties as defined in RFC 7519 .
JWTs contain data and are access by-value. This should make you consider a few things:
If Access is provided with Bearer tokens, then change the Bearer token into a Proof of Possession token (a PoP token) by adding a confirmation (cfn) claim. Validated the fingerprint as part of the request.
The most recommended algorithm is ES256 (The Elliptic Curve Digital Signature Algorithm (ECDSA) using P-256 and SHA-256). For symmetric keys, use HS256 (HMAC using SHA-256).
Always validate an incoming JWT. You should definitely validate a token if using the implicit flow but instead use code athorization code flow. It is safe and considered best practices.
Best practice is to check if the token contains the iss claim then confirm that any cryptographic keys used to sign or encrypt the token actually belong to the issuer.
It is best practise to use the URL to confirm the Access Tokens.
JWTs are used as Access Tokens or ID Tokens. You can verify by doing the following:
JWTs are hard to revoke once issued. You should use as short expiration time for your tokens as possible (preferably minutes or hours).
Signatures require a keys to validate. It is best practice to use an endpoint and dynamically download the keys. This allows for key rotation.
Use and asymmetric key for signing. This will increase security.
Use the Pairwise Pseudonymous to obfuscated user ID.
These articles explain the situation:
If you are build a serveless solution, store JWT tokens in Redis as the data (Not the ID) and check them against every request via the session cookie. This way you can enforce token timeouts, count invocations, and manually expire tokens.
Bottom line, It’s how you use the JTWs that make them safe. Stay up to date by reviewing these articles.