Reputation: 3889
Can a Json Web Token be faked or impersonated?
I have get the JWT authentication up and running in my react-native project. Now every request I make, token will be included in header as authorization.
To my understanding, when the server receives my token, it will be decoded into something like:
{ sub: user.id, iat: timestamp, email: user.email }
Then the server will recognize me based on that user.id.
But since there's only the token included in the header, no userId in the header, how can the server know that I am really the one with that id? Say a hacker got my token, then can he fake as me and talk to the server?
Upvotes: 2
Views: 1624
Answers (1)
Reputation: 180808
The usual way to prevent such tokens from being stolen in-transit is via Transport Level Security, specifically SSL. The HTTPS connection is established first, before tokens are exchanged between the two systems.
There are potentially other solutions that can also be used to prevent token theft, such as Token Binding Protocol and Proof Key for Code Exchange by OAuth Public Clients.
To provide additional security, tokens are often time-limited. Reference Tokens can be revoked on demand, without having to wait for them to time out.
Upvotes: 3
Related Questions
- JWT token invalid, but why
- Can't JSON Web Tokens be easily stolen?
- JsonWebToken publicly readable?
- Are Json Web Tokens secure enough? And how to secure payload?
- Correct usage of JSON Web Tokens
- how do i know if a json web token is tampered with or not
- Json Web Token + User Authentication
- JWT (JSON Web Token) if someone sniff the token, could send the same Post?
- Can anybody decode a JSON Web Token (JWT) without a secret key?
- JSON Web Tokens (JWT) - Validate Client