Reputation: 54
JWT + OAuth2 + ADFS 3.0 + Mobile + API
I’m building a mobile app and API secured with JWT tokens issued from ADFS 3.0. The mobile app is registered as an OAuth2 client with ADFS. I’m concerned someone could intercept the JWT token and use it to access the API maliciously.
My question is will this be enough to secure the API?
Upvotes: 0
Views: 580
Answers (1)
Reputation: 6335
the token is indeed sensitive but this is mitigated by a few factors.
The token is passed in the Authentication Header. This is why you need to only pass it via an https call because the header gets encrypted at that point and is secure.
The token is only valid for a while .... and you can set this value to whatever you want. I had them setup for 1 hour for example. Even if someone does get a token, they can only use it for that time after which it becomes invalid.
You will need to secure the method of generating the token as well. Keep the ClientID and ClientSecret safe. Don't pass them in a URL for example as that can get intercepted.
If you do all this you will be as safe as anyone can be on the internet.
One final point from me, some people like to store the tokens in a database. I would recommend against it. Keep them around in your client app, yes, in a secure way so you can reuse them until they expire, but don't use any traditional storage which can be stolen, hacked etc.
Upvotes: 2
Related Questions
- Signing JWT for ADFS to obtain access token
- Setup OAuth2 JWT Token for ADFS and .Net Core
- Access token and user ID
- ADFS 3.0 and JWT token
- ADFS as OAuth2 provider / Authentication server possible?
- Making a persistent SSO with OAuth2 Client and ADFS 3.0
- Not getting user identity in JWT used in OAuth2 access token from ADFS 3.0
- adfs (oauth2) token validation howto?
- Using another OAuth2.0 Authorization Server with MobileFirst Platform other than the included one
- ADFS Authentication Delegation Desktop / Mobile Applications