How to give clients JSON web token (JWT) in secure fashion?

Question

I have a python application that needs to give users a JSON web token for authentication. The token is built using the PyJWT library (import jwt).

From what I have been reading it seems like an acceptable practice to give the token to a client after they have provided some credentials, such as logging in.

The client then uses that token in the HTTP request header in the Authorization Bearer field which must happen over TLS to ensure the token is not exposed.

The part I do not understand is what if the client exposes that token accidentally? Won't that enable anybody with that token to impersonate them?

What is the most secure way to hand off the token to a client?

Answer 1

Token will be build based on user provided information and what you back-end decided to be part of the token. For higher security you can just widen your token information to some specific data of the user like current ip address or device mac address, this will give you a more secure way of authentication but will restrict user to every time use the same device, as a matter you can send a confirmation email when a new login happens.

Answer 2

You could encrypt the token before handing it off to the client, either using their own public key, or delivering them the key out of band. That secures the delivery, but still does not cover everything.

In short, there's no easy solution. You can perform due diligence and require use of security features, but once the client has decrypted the token, there is still no way to ensure they won't accidentally or otherwise expose it anyway. Good security requires both participants practice good habits.

The nice thing about tokens is you can just give them a preset lifespan, or easily revoke them and generate new ones if you suspect they have been compromised.