Reputation: 367
JWT and securing https REST api
I'm designing a service where server A will POST some JSON data to server B over https.
I'm thinking about using JWT for authentication and pass along some claims like: iss, aud, iat, exp and jti. These will be verified by server B when it recieves the message from server A.
{
"iss": "api.server-a.com",
"aud": "api.server-b.com",
"iat": 1356999524,
"exp": 1407019793,
"jti": "id123456"
}
Question 1: Should server B also return a JWT token with the reply so that I can verify the reply? Or is this unnecessary since it's https?
Question 2: Will this have any real benefit to security compared to just using HTTP Basic auth with a simple API token over https? Doesn't https guard against replay attacks just as well as checking the iat, exp and jti claims would?
Upvotes: 0
Views: 1162
Answers (1)
Reputation: 54088
A1: server B will just return the data that the client asks for and is entitled to when the JWT validates correctly. If something does not work out, an error would be returned. The integrity and authenticity of the data in the response is guaranteed by the SSL server certificate validation. No inherent requirement for a JWT response although your server could choose to return a response that includes a JWT if it wanted to.
A2: the security benefits of JWTs are not just in the area of preventing replay attacks (which may or may not be handled by the SSL layer already, depending on the cipher used), but also in the area of client identification and the ability to add limitations in terms of scope (e.g. permissions) and time (e.g. expiry) in an explicit, standardized and verifiable way.
Upvotes: 1
Related Questions
- secure api data from calls out of the app
- Securing Rest APIs with JWT
- How should I secure this public API?
- Securing a JWT token
- How do I secure a REST-API?
- REST API user and client authentication
- Securing REST services with JWT in JAVA ee
- REST Security with JWT
- Authentication with JWT and JSONAPI
- Secure REST Api with Spring boot and JWT