In my understanding, when a client wants to communicate with a server, HTTPS can be used which involves SSL certificate. This is very secured channel where information is exchanged between client and server by means of a session key.
The session key is symmetric which has been generated by means of asymmetric keys (public/private keys).
I’m trying to understand JWT-based authorization between applications
I’m trying to understand JWT-based authorization between applications, and it’s a bit unclear to me. I have 2 applications: app1 is responsible for user authorization. Upon logging into app1, I receive a JWT token. When I want to retrieve resources from app2, for example, /api/get-data, I send the token in the header. App2 checks the validity of the format (header, payload, and signature), as well as its expiration date. If everything is okay, it sends a request to app1/api/token/verificate to verify the token. Upon receiving confirmation that the token exists, I receive resources from /api/get-data. Do I understand this correctly? Did I miss anything? Is signature verification of the token still needed here?
Dangers of Self Refreshing Short Lived JWT?
I have an app where the JWT will have a short exp time. Let’s say 1h.
How to programmatically check for JWT token expiration and logout user automatically?
I have this function that will create the token and it has expiry time:
OWASP Broken Access Control by example: preventing user’s from reading/writing data that isn’t theirs
I have experience building RBAC-based authorization mechanisms, and understand the theory behind ACLs (DAC?) though I’ve never had the need to implement them.
What are the advantages of refresh token?
A good auth system contains access and refresh tokens. I know what access-tokens are for and I know what refresh tokens DO – but I don’t understand their meaning.
For example:
If I authenticate myself successfully to an API, then I get an access token and a refresh token. If a bad guy steals my access code, he can access the API maybe the next 5 minutes or so. But if he steals my refresh token which maybe expires in 6 months he can give himself every time a new access-token and so he can stay longer in the system.
So what are the advantages of refresh tokens – I don’t see them?
How to handle Authorized & Non-Authorized Routes in Microservices with Tokens
0 Context Suppose there is a e-commerce microservice architecture with the format: In summary, a client will contact the Auth Service / Identity Service to receive a token. It passes the token to the API gateway, which verifies the token, and forwards the request. That being said, there are services that need to be accessed…