How does JWT do Authentication

Question

JWT official docs say that JWT is most commonly used for Authentication.

Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be.

Now if my server gets a request from the client and header of that request contains JWT. I will validate the JWT token with my secret key.

If the token is valid, I can say for sure that:

1. That token was generated by my server.
2. At the time of generating token user had provided their correct credentials. Meaning, if user claimed to be John123, they provided correct password for John123 (server verified this, otherwise server return error response).

If the token is valid, what I can NOT say for sure:

1. On subsequent requests, if the user is claiming to John123 (by passing {userid:John123} in request body) and they provide us with valid JWT, I can't say for sure that their claim is correct. Because its possible that user Alice123 went into the localstorage of John123 and stole the token and set it into their localstorage.

Now my question is how does JWT really validate that the users actually are what they are claiming to be. What I am missing here? Do I need to keep a mapping of JWT, userid and ip of client.

Answer 1

JWT does not validate if the users are what they claim to be, because JWT is not an authentication framework. If you use JWT as an access token, you/your authentication middleware should make sure only to rely on the information in the token itself to identify the user and not any information in the request body.

Ususally you would store the user id or name in the token. The subclaim can be used for that.

The "sub" (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.

The authentication middleware ususally only verifies, that the JWT itself has not been modified. But you won't recognize if Alice uses John's token.

Answer 2

Well one step you are missing is that even after verifying the authenticity and claims (e.g. expiration date) of an incoming JWT, you still probably would have to hit your user database to make sure that the account is active and still exists. So a JWT does not by itself solve the entire problem.

Regarding your actual question at the end, you generally have no idea about who the bearer of the JWT really is. If Alice steals John's phone, then in fact she may be able to masquerade as him. But keep in mind, if she does something this drastic, then she probably also has his credit and bank cards, and maybe some other passwords too. No authentication process is completely safe.

With regard to lesser forms of theft, JWT is still robust. For example, if someone tries to setup a man-in-the-middle attack to sniff your JWT, it won't work assuming your app encrypts that JWT with SSL. And the real reason for JWT of course is that they are already signed with a key only known by the server to prevent the bearers from tampering with them.