Implications of using a self-signed certificate to sign JWT tokens in OAuth

I’m looking to setup an integration between GitHub and Service Now and I can use OAuth2 using JWT Tokens, the steps to take can be found here.

There is a specific step that states:

Create a CA signed certificate using the GitHub App private key

From what I can understand this certificate is used in the process of signing the JWT tokens that are generated by Service Now and sent to GitHub for authentication. What I’m unsure of is if using a 3rd party CA Signed Certificate will have any benefit over a self-signed certificate?

I don’t see any benefit given the private key is initially generated by GitHub and I believe it uses that to ensure it’s been signed correctly from Service Now, not sure certificate revocation checks with a 3rd party CA would be part of that process.

JWT : Should I check if user exists before validating token?

I am building an authentication service with python and flask and I use MongoDB to store user details.

When a user sends a request on an API that enforce the authentication service, I get the token from the request, check if the JWT is valid (I use RSA256), check if the exp is valid, and ultimately I retrieve the auth dict from the payload and check if the current API is authorised for this user. If all the previous checks are ok, I authorize the user and log him.

In my JWT payload, I also have the userId, should I use it to check that the user exists by calling the db ? In addition to that, should I also get the auth dict from the db or can I use the one from the payload ?

By default, I trust the JWT and don’t cross check the infos with the db, is it alright ?

Thanks for your help !

web applications – JWT logout: Sharing blacklisted invalid token among services

I am working on a microservices project involving 4 services – Auth Service, Service-A, Service-B and Service-C.

All the services are implemented using Spring Boot.
The Auth Service is responsible for authenticating logged in user and generating a JWT bearer token.
Each of Service-A/B/C has JWT filters which checks for validity of token and then provide access to the Rest APIs.

Now I want to implement logout feature. The logout request goes to Auth Service. The Auth Service uses Redis.
The token is added to list of invalid tokens with ttl set so that after the expiry the token is removed automatically.

Now how can JWT filters in Service-A/B/C access the blacklisted token so that Rest API access is approved/disapproved?
If all the services are deployed in same system the services can access Redis easily.
If the services are deployed in different systems, how can they access the invalid tokens?

Should I implement pub/sub messaging and each service have a list of invalid tokens stored in redis? Or is there a better approach in microservices environment?

authentication – Looking for suggestions while implementing JWT token with encryption for webhooks

I need to start providing webhook support for some of my apps, and I was looking at how github seems to implement it on their website and they include a “secret” that one can include in their POST request payload (screenshot below of Github, Screenshot A). When they send their POST request, it includes your secret in a header labeled SECRET_TOKEN.
https://docs.github.com/en/developers/webhooks-and-events/webhooks/securing-your-webhooks

Using this knowledge of how they implement their system, I figured I would replicate it to mine.

Since my application will have to handle receiving webhook payloads, I need to generate keys myself. To do so, On my server I generate a database record with the following fields

  • id
  • createdAt/updatedAt
  • publicKey

I generate a RSA/PEM public/private key and using the privateKey I generate a JWT token (sample B screenshot included below)

// header
{
  "alg": "HS256",
  "typ": "JWT"
}
// body
{
  "iat": 1516239022,
  "id": "1234567890123445667" // <-- the database ID
}
// verify signature ...
{
  // ...
}
  1. Question 1) is it proper or even a security concern that I am essentially publicly sharing my database id in my JWT token body which can be read unencrypted? Its common practice to share database ID’s in URL’s all the time, so I don’t see why this would be an issue per say. I even think i’ve seen Microsoft OAUTH JWT tokens do this in the past.

  2. Question 2) I am destroying the private key from memory as soon as the JWT is generated, and then I save the public key to the database, that way I can verify the signature when the token is sent in a request header. According to jwt.io it says “public keys are for verifying signatures”, and “private keys are for generating new JWT tokens”. It seems weird to be saving something called “public” when I am keeping this data privately in my database. And i know its probably bad to save both the public AND private key to the database.

  3. are there any other security concerns that I am not aware of?

Example (A) Screenshot from Github:

enter image description here

Example (B) Screenshot from JWT.io:
enter image description here

certificates – What is the point of signing a JWT with a JWK if you need to communicate with the token issuer?

If I understand correctly, a JSON Web Token (JWT) can be asymmetrically signed with a special private key (JWK). At least in some common configurations, the public part of the signing key can’t be obtained via classic x.509 certificates, but rather by accessing some trusted API endpoint, fetching the public key, and using that to verify the JWT signature.

How is that any better than just sending the entire token over to the trusted API and asking it to validate it? I thought that the whole point of using tokens was that they can be verified without contacting the token issuer, just by checking its signature with a widely available public key.

Frontend authenticates in server using jwt token issued by another server

I have two servers and frontend client:

  1. one server authorize and authenticate user, after that issue jwt token to client.
  2. Frontend client also visits second backend server using jwt token as Authorization Header.
  3. JWT secret is the same on the both servers(encrypted by SH256).

Questions:

  1. Is there any alternative to keep token safer and prevent steeling it by 3rd party javascripts? http-only cookie doesn’t fit since client gets some data from jwt token
  2. Do you see some security drawbacks in existing flow?

web services – Blacklist JWT tokens or whitelist JWT tokens

I am working on a Spring Boot web application. The REST APIs are secured by JWT tokens. Currently I have only access token generated (not implemented refresh token concept).
My question is related to login/logout of users in this scenario. Most of the blogs suggest that on logout, maintain a list of blacklisted tokens in DB. Would this not lead to unnecessary big list of invalid tokens?
I have implemented the other way round. Please let me know the draw back with this approach.

  1. On successful login a bearer access token is generated and I maintain a whitelist of this token in DB as LoggedInUsers.
  2. The JWT filter will check for expiry validity, user info validity and checks if the token is in DB. If all these are true then user has access to API
  3. Upon logout, the token is deleted from LoggedInUsers.
  4. Upon password reset, the token is deleted from LoggedInUsers

This web service will be consumed by both Mobile app and Web browser.

Please let me know your thoughts on this approach.

consumo de api no React com Token: JWT

Recebi um teste de uma empresa e ela deu um link para api. o problema é que ela tem um tipo de autenticação, e nunca fiz nada com api privada, sempre foi api que eu mesmo construía ou publica. ja tentei de varias formas e nada. o erro que dar: Failed to load resource: the server responded with a status of 404 (Not Found).
Estou usando o axios com a baseURL passada.
Estou tentando imprimir primeiramente no console.

O objetivo do teste é eu poder cadastrar post listar e mais outras coisas. mais a questão é o acesso a api.
`state = {
posts: (),
}

async componentDidMount() {
const res = await api.get("");

this.setState({ posts: res.data });

console.log(res.data)

}`

sharepoint online – Docusign REST API: Implementing OAuth Authentication using JWT Grant from Microsoft Flow

I am getting below error when making HTTP call for JWT Token,

The Authorization Call successeeded well as whown in below screenshot , but when making HTTP Call for JWT Acess Token (screenshot 2), then below error({“error”:”invalid_grant“,”error_description”:”unsupported_grant_type“}) as shown in screenshot 4 below.

I am new to using/developing Docusign for first time,so anyone kindly correct what iam doing wrong (like if i need to put/correct URL,Headers,Body,….. ) or plese guide me about what can be the error Cause.
Kindly Guide me, Thanks in Advance
Iam following below URL from Docusign OAuth Implementation
https://developers.docusign.com/platform/auth/jwt/jwt-get-token/

Step 1. Request application consent
Step 2. Create a JWT
Step 3. Obtain the access token –>getting Error @ implementing this step
Step 4. Get your user’s base URI
Step 5. Use the access token to make an API call

(https://account-d.docusign.com/oauth/auth?response_type=code&scope=signature%20impersonation&client_id=@{variables('IntegratorKey')}&redirect_uri=https://localhost1

https://account-d.docusign.com/oauth/token

https://demo.docusign.net/restapi/v2.1/accounts/@{variables('Docusign AccountID')}/envelope

Error screenshot

8 – How to get current user jwt token?

In a custom module, I need to get the jwt token (access_token) related to the current user. Following this issue I’ve tried to get it, but without success, because get_jwt_key() and jwt_token_params() are not defined and I can’t find where they are defined:

use FirebaseJWTJWT;
...    
public function getAccessToken() {
  $uid = Drupal::currentUser()->id();
  // Add JWT access_token
  $key = get_jwt_key(); //key for generate jwt token
  $token = jwt_token_params($uid); // parameters to be added in token.
  $access_token = JWT::encode($token, $key);
  return $access_token;
}

I’ve tried only with:

$access_token = $this->jwtAuth->generateToken();

But I haven’t found how to initialize $jwtAuth service to generate the token.
Any suggestion?