authentication - What if JWT is stolen?

Question

I am trying to implement stateless authentication with JWT for my RESTful APIs.

AFAIK, JWT is basically an encrypted string passed as HTTP headers during a REST call.

But what if there's an eavesdropper who see the request and steals the token? Then he will be able to fake request with my identity?

Actually, this concern applies to all token-based authentication.

How to prevent that? A secure channel like HTTPS?

Answer 1

I'm the author of a node library that handles authentication in quite some depth, express-stormpath, so I'll chime in with some information here.

First off, JWTs are typically NOT encrypted. While there is a way to encrypt JWTs (see: JWEs), this is not very common in practice for many reasons.

Next up, any form of authentication (using JWTs or not), is subject to MitM attacks (man-in-the-middle) attacks. These attacks happen when an attacker can VIEW YOUR NETWORK traffic as you make requests over the internet. This is what your ISP can see, the NSA, etc.

This is what SSL helps prevent against: by encrypting your NETWORK traffic from your computer -> some server when authenticating, a third party who is monitoring your network traffic can NOT see your tokens, passwords, or anything like that unless they're somehow able to get a copy of the server's private SSL key (unlikely). This is the reason SSL is MANDATORY for all forms of authentication.

Let's say, however, that someone is able to exploit your SSL and is able to view your token: the answer to your question is that YES, the attacker will be able to use that token to impersonate you and make requests to your server.

Now, this is where protocols come in.

JWTs are just one standard for an authentication token. They can be used for pretty much anything. The reason JWTs are sort of cool is that you can embed extra information in them, and you can validate that nobody has messed with it (signing).

HOWEVER, JWTs themselves have nothing to do with 'security'. For all intents and purposes, JWTs are more or less the same thing as API keys: just random strings that you use to authenticate against some server somewhere.

What makes your question more interesting is the protocol being used (most likely OAuth2).

The way OAuth2 works is that it was designed to give clients TEMPORARY tokens (like JWTs!) for authentication for a SHORT PERIOD OF TIME ONLY!

The idea is that if your token gets stolen, the attacker can only use it for a short period of time.

With OAuth2, you have to re-authenticate yourself with the server every so often by supplying your username/password OR API credentials and then getting a token back in exchange.

Because this process happens every now and then, your tokens will frequently change, making it harder for attackers to constantly impersonate you without going through great trouble.

Hopefully this helps ^^