This week's book giveaway is in the Agile and Other Processes forum. We're giving away four copies of Darcy DeClute's Scrum Master Certification Guide: The Definitive Resource for Passing the CSM and PSM Exams and have Darcy DeClute on-line! See this thread for details.
I have been tasked with creating a backend validation component to take a JWT token provided by the front-end (ANGULAR) authentication sign in. I need to take this token, parse through it, validate it to then be able to access a protected resource (Kong Gateway/Endpoint)
What are some approaches to being able to "grab" the JWT token from the front end to be able to use it for my back-end validation?
Most of time, you are going to use Authentication Bearer approach, despite the fact you could also manage the whole thing by yourself.
If you use Spring / Spring boot, you're provided with a number of facilities / libraries to deal with JWT token, for both supporting API security and handling JWT via code.
For example, have a look at this tutorial which explains the underlying concepts pretty well.
Stephan van Hulst wrote:
I'm more concerned about what you mean by validating the token. Who signs the token? You? A third party? Is the party that signs the token also the holder of the protected resource?
In case you neither do the signing nor hold the protected resource, then why are you validating the token at all? Just pass it on to the holder of the protected resource.
I think that OP means with "validation", the process to verify if the caller may or not access a given resource, i.e at the very end, extract claims and reconstruct roles. Anyway your concern is really a good point...
In my own experience, I used to use an external Identity and Access Management (IAM) system, like KeyCloack, to handle the authentication mechanism and to generate JWT tokens. Depending upon the security level you want
to achive, you can rely on it for validating JWT, signing tokens, handling revocation, and so on. But for simple scenarios, this architecture may be overkill. If you are the token issuer, you may store the tokens you have issued somewhere - on a DBMS, on simply in memory : at every API call, just verify if the token is in your registry or not, and accept or reject is accordingly.
Is JWT is used verifying the message from the original sender is not altered?
Its format is like this separated by a period, xxxx.yyyy.zzzz where xxx is the header info, yyyy is the message, zzzz is the hash value of xxxx and yyyy.
If xxxx or yyyyy are altered, the new calculated zzzz' will not match with the original zzzz. This means the message or header is altered.
However, I heard JWT is not complete secure. An attacker can steals the original message , alter it, calculate another zzzz'' hash value and send
it to the server side. The attacker will receive a JWT token from the server, attach this JWT token to make subsequent requests.
Basically, the attacker is pretending as the original legitimate user and successfully accesses data from the server.