Asp.Net Web API JWT Authentication

Question

I have implemented user authentication using JWT in my Asp.Net Web API application. It's working fine whenever a user logs in, an access token is generated and returned to the client and the client sends back with every request to access the secured resource. But if I copy the same access token and prepare a request from any other client (like Postman) using the same access token it gives the access to the protected resource. I think it's a normal behavior. But is there any better solution to get rid of this i.e. don't allow any other client even if using the same access token. So that to make it client specific as well.

Answer 1

You should be passing in a username and password to obtain the token in the first place. That password is the private key that provides security to make sure no one else can obtain a token for that user. As long as your traffic is over https(ssl) then that token is protected in transit and no one else should be able to intercept it.

Answer 2

If you don't want any other intruder to copy your access token and access the protected resource, then you must use SSL.

To protect extremely sensitive data, you should keep the token lifetime to a very short window of time. If you are protecting something less sensitive, you could make the lifetime longer. The longer the token if valid, the larger the window of time a attacker will have to impersonate the authenticated user if the user's machine is compromised.

You can check this great answer to learn a few things