Just started looking a JWT and the examples I have seen first require the user to do a POST request with the body of the request containing the username and password in plain text. After this request has been authenticated, a JWT is sent which is then used is further requests.
Clearly I am missing something here but have I not just sent unsecure data on my first request? Is this where I would need HTTPS?
Just started looking a JWT and the examples I have seen first require the user to do a POST request with the body of the request containing the username and password in plain text. After this request has been authenticated, a JWT is sent which is then used is further requests.
Clearly I am missing something here but have I not just sent unsecure data on my first request? Is this where I would need HTTPS?
Share Improve this question edited Feb 12, 2017 at 15:04 webdeb 13.2k5 gold badges29 silver badges44 bronze badges asked Feb 12, 2017 at 14:29 JD.JD. 15.6k22 gold badges92 silver badges165 bronze badges 2- 1 Yes, you should send the username/password over https – webdeb Commented Feb 12, 2017 at 15:03
- @webdeb Thanks. What if I make a call to the server which will give me a web token and then I send the username/password. Would that work? Also if I have https, do I just do the first call with HTTPS and then the rest are done with web tokens? – JD. Commented Feb 12, 2017 at 16:18
2 Answers
Reset to default 5JWT doesn't give you security out of the box it's main point is to make sure that the Token wasn't changed by untrusted authority. It just verifies that the data inside is correct.
However, the JWT itself, the data block of it is readable by anyone, you can just parse it on the client, and read the userName / email / from it, if you want to, so an attacker could read it too, if the data block itself is not encrypted.
HTTPS would encrypt all the data wich is passed between client <-> server. It has nothing to do with authentication, its just a protocol, you should use it anyway, either with JWT or not.
JWT are used for authenticating a user that already authenticated himself to the server before, and are really useful in stateless environments, not really in stateful environments.
The purpose of JWT is to store enough data on the user, so that the server that receives it can use it to decide if the user is legit and what he can do. They are really useful in distributed environments, because then you can just pass the JWT from one server to another, and as long as they all hold the signing key, they will be able to authenticate the user only based on the token.
The username and password are only required for the server in the first request, so the server can authenticate the user against a database of users for example, and then, every request after will use the token, making the server to be able to authenticate the user without another round trip to the database on every request.
As far as HTTPS goes, I would say - use it for everything. In today's wireless networks everywhere, your data is much more exposed than before.