Reputation: 2464
Jwt Token not provide current user details
I have created a demo application in .net core 2.0 with https://auth0.com/blog/securing-asp-dot-net-core-2-applications-with-jwts/ This is an example for Authentication with JWT Token, but I noticed that when I create a token for one user and replace it with another token created for another user (from other browser), it will validate and allow access. Why? Also if anyone has a good example of JWT token with current user logged in then please share the link, as I am new to this.
Upvotes: 0
Views: 597
Answers (1)
Reputation: 22515
That's how the Bearer authentication schema works.
The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
(from :How do JSON Web Tokens work?)
So everyone who can present a valid and not expired token will get access to your protected resources. There's usually no check if the token was originally issued to you or to someone else.
You are of course free to implement such a check:
find something that can't be forged to identify the device and is present on every request
add this information or better a hashed value as a claim to the token. You're free to add claims (basically just key/value pairs) to your token.
write your own custom authorization attribute and check if the request comes from the same device as stated in the respective claim in the JWT.
Upvotes: 1
Related Questions
- How do I get current user in .NET Core Web API (from JWT Token)
- Generate JWT Token for logged in user?
- Authorize using JWT token still returning unauthorized
- How use a JWT token to retrieve current user data in .NET Core API?
- JWT Token Accessing AuthenticatedUser
- JWT Authorization Failed .net core
- JWT token not being validated correctly
- How do I get the user info for whom the jwt token was issued?
- Jwt token always return 401 .net core 3.1 web api
- asp.net core not binding current User