Archive for the ‘OAuth2’ Category

OAuth2 JWT Verification Best Practices

Posted on 10/15/2019 , Alexander,

OAuth2 is very rapidly becoming the de-facto standard for securing APIs.
An OAuth2 JWT token is a signed JSON snippet containing fields (claims) that are needed to make a decision about granting access.

It is important to understand the inherent risks of OAuth2/JWT and make sure that the right mechanisms are in place to mitigate them.

A JWT token is similar to an X509 certificate. If a certificate is signed by a CA we trust (and if it is not expired, the signature is valid, etc.), we will trust the TLS client (or our browser will trust the server using this certificate). A JWT token is signed by an authorization server as opposed to a CA, so we have to trust the authorization server in order to authorize the client.
(more…)