Concerned about JWT security

Question

Recently, I implemented the JWT strategy using passport and node.js... however, I am beginning to worry about the concept in general. Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?

I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway? I am sure that I missing the point here somewhere. Guidance would be appreciated. Thanks.

Answer 1

Isn't it true that once someone has access to the JWT, it can be used to retrieve protected data? And isn't gaining access to the JWT, as easy as using chrome dev tools?

Generally speaking, it shouldn't be an issue if the user can access their own JWT -- because they're the one who is allowed and should have access to that token. (Which is what Dev Tools would allow you to access, but not other people's tokens.)

It becomes an issue when someone else can access that user's JWT, which is when things like using SSL/HTTPS show their value (because encryption prevents another user from sniffing traffic and retrieving the JWT, for example). This is a fairly broad topic to try and cover though, but ultimately if someone else can access some random user's JWT then there are security issues, yes. It's not strictly related, but I enjoy this Auth0 article which talks about the differences between JWTs and cookies (which you may already understand -- and hence it may useful/interesting) and some of the related security concerns and how JWTs fit in to the picture.

I could try and reduce the expiry date, however... isn't it true that as long as the user details are the same, the token generated will also be the same every time? So what's the point of the expiry date, if you are going to end up with the same token anyway?

The token's expiry is stored within the body of the token (under a exp key), hence the token's value does change whenever a new token is generated with a different expiry time. RFC7519 states the "exp" (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of the "exp" claim requires that the current date/time MUST be before the expiration date/time listed in the "exp" claim., hence if the library you're using is acting correctly in this regard, then a token with an exp value in the past won't validate correctly and hence the token is unusable.