Don't recommend JWT #6
Comments
|
So, what do you recommend? I've seen subjective opinions and some nonsense as well. |
|
The only real problem I am aware off is that - if you adhere to the standard - the client can prevent/tamper with the encryption of tokens. That would indeed be a problem. |
|
There are also macaroons but I don't have my own feedback yet on this http://evancordell.com/2015/09/27/macaroons-101-contextual-confinement.html |
|
Whats the alternative of JWT ? |
Fernet is nice. Bad thing is the project seems to be pretty much dead. At least the maintainers have been in radio silence for a while. |
|
JWT is just a way to make a token whose contents can be authenticated. If all you need is a token, JWT gives you nothing. There's details around for generating a good token, in general. Assuming you've generated a token, the next question is how to use it: will you create an authorization token and refresh token like with oauth2? will you create a token and call it an 'api key' and just given it to the user? Will you require a 'client id', along with the 'client secret/api key'? Also, if the authorization is for a web app, cookies make a good transport mechanism, especially if you set HTTP only and secure true. Avoiding CORS is useful since it costs an OPTIONS preflight request. If we want to authenticate all requests on same domain, having an nginx proxy and avoiding CORS altogether makes the most sense (esp if we think of CORS as a way to improve upon JSONP) https://stackoverflow.com/questions/869001/how-to-serve-all-existing-static-files-directly-with-nginx-but-proxy-the-rest-t see https://auth0.com/blog/2015/03/10/blacklist-json-web-token-api-keys/ https://stormpath.com/blog/build-secure-user-interfaces-using-jwts https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage In terms of security, all API calls should be using https and there is little difference in putting the token in headers or as part of the query string CSP, HSTS, CORS, WTF |
|
Here in what i came up with.
What are the flaws in it ? |
|
I agree that JWT should not be recommended. JWT (JSON Web Tokens) is a Bad Standard That Everyone Should Avoid does a good job of explaining the issues as well. |
|
@netcode Is there any final decision regarding JWT? Whether to accept/reject pull request #69 (currently open) could be influenced by any final decision regarding this issue. Edit: Merged for now, seeing as the PR only adds links for information which already exists anyhow, and doesn't really change the context of the information already available. |
|
@Maikuolan , not yet , there is a debates all over the internet and inside our company too :D. How about add a note regarding the issue raised here and the outside articles , what do you think guys ?? |
|
I'd be in favour of that. With no clear consensus (and, depending whether one is in favour of JWT or against it, using it could be considered really good, or really bad advice), I think, adding a note to explain both sides of the argument, with appropriate links (pointing to some resources for how to use JWT, reasons to use it, reasons to avoid it, etc), would probably be the best solution for now. |
|
@Maikuolan Following up my original comment and responding to subsequent ones, I think it would be beneficial to point out that from a security point of view, JWT can only authenticate data. It is, itself, orthogonal to authenticating a user session. Let's consider the use case of an authentication token:
Let's consider the use case for a JWT:
Let's consider the number one misuse of JWT for authentication:
You'll notice that if we omit the steps with the word 'JWT' in it, you're just describing a session id as commonly used. You're still hitting a database or datastore to look up the user, but using extra CPU cycles to encode and decode the JWT, as well as more bandwidth, since it is bigger than a simple session id. Moreover, if you're serving data via SSL, authentication is less important. Moreover, if you're storing your session in a secure cookie, it's already encrypted, so encoding it has no additional benefit. So, unless you have services that can answer a request solely based on the contents of the JWT, you're just wasting CPU cycles and bandwidth. This is especially relevant in CPU-bound applications such as Node.js. What's really frustrating is that there's there this 'cookie vs JWT' debate. Which makes no sense because if you're using an HTTP header for authentication, please to remember that cookies are headers and JWT is a spec for encoding authenticated data. Unless you think it's reasonable to debate whether it is better to use 'Keys vs. Values' in hash/map or parameter. |
|
While we are at it, I would appreciate feedback on the Branca token spec which I have been working on as a secure alternative to JWT. Since it defines only token format and encryption scheme you can still use same payloads as with JWT. |
Here is a link to an issue with more links to articles explaining what's wrong with usin JWT on the client: shieldfy/API-Security-Checklist#6
|
Thanks @bf4 for the detailed reply and additional information, and thanks @tuupola for providing a possible alternative for us to look at. :-) I think, one thing that could probably be safely agreed upon, regardless of which side of the fence people sit on in regards to JWT, is that thus far, there isn't a huge amount of context provided by the checklist at this point in terms of what we mean by "authentication". Maybe that would be a good starting point (e.g., providing some more context in the checklist for the types of authentication we're talking about, the context where such authentication should be used, what for, etc)? |
|
I don't see everything being wrong with JWT, there are some non recommended ways of using it. Recommend the safe ways of using it and stop spreading FUD. |
|
So here are my questions/scenarios if someone could clearly explain why JWT aren’t the right way and what is the right way:
|
|
Matt- mind helping us help you by sharing what was unclear from the above? Also, any programmer that gives you 'the right way' should be ignored. Cryptographers and devs make some good arguments why JWT are often a poor data format, see above, yet it remains popular. Who is right?
B mobile phone
… On Nov 18, 2017, at 2:42 PM, Matt Shull ***@***.***> wrote:
So here are my questions/scenarios if someone could clearly explain why JWT aren’t the right way and what is the right way:
how to do authentication for users of a website
how to do authorization for users of a website
how to do auth for a public API that developers can use to hit endpoints
how to do an internal API only used for the website
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I don’t know that there is clarity above. I see a lot of disagreement so I wanted to know from the side of the “JWT is a bad pattern”, what’s the best way to do what i mentioned above. If the answers are clearly laid out and I’m just missing it, could you help point me in the right direction? |
|
Matt-
Sounds like that's a separate issue you should open.
I misunderstood your question. My answers:
- How to authenticate users is a pretty big topic. If you mean how to
persist user session, then the answer is usually a cookie or a token.
- How to authorize users is a pretty big topic. If you mean, how can I
know what privileges a user has if I can't encode them in the session..
then your site will probably be hacked pretty quickly, since business rules
of that sort need to live on the server.
- How to authenticate a public API. Is the same question and answer as the
first.
- How to do an internal API: The reductive answer is 'don't expose it to
the public'.
Generally, using TLS/SSL helps.
If you're wondering why my answers don't mention JWT, that's why I
suggested opening a new issue. You might also want to look at the OWASP
top ten. https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
You wrote:
So here are my questions/scenarios if someone could clearly explain why JWT
aren’t the right way and what is the right way:
- how to do authentication for users of a website
- how to do authorization for users of a website
- how to do auth for a public API that developers can use to hit
endpoints
- how to do an internal API only used for the website
…On Tue, Nov 21, 2017 at 11:34 AM, Matt Shull ***@***.***> wrote:
I don’t know that there is clarity above. I see a lot of disagreement so I
wanted to know from the side of the “JWT is a bad pattern”, what’s the best
way to do what i mentioned above.
If the answers are clearly laid out and I’m just missing it, could you
help point me in the right direction?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAIuQvVx71c3WOcLUppBHF-lNyoyF4Muks5s4wmggaJpZM4OR6se>
.
|
|
Its like everyone is saying don't use JWT but I can't see anyone explaining what else to use. Too much discussions on why it sucks but no one actually says what should be done. Tired of searching the whole web for answers now. |
etc Agree that this issue should have some output |
|
@bf4 I hope you understand my frustration. I saw the comments you mentioned and I have looked at it still its the same there are tonnes of stuff like tonnes of No's but only thing that I saw was use TLS yea well that works too. In web its still ok we can use csrf and session and use it. but how will someone implement it for a mobile app which only talks through api. Any suggestions ? |
|
|
Finally.. if you use jwt properly, does not matter. |
some would say that even when it has a good use case, of which there are not many, there are better specs to use. https://speakerdeck.com/rdegges/jwts-suck-and-are-stupid https://www.youtube.com/watch?v=GdJ0wFi1Jyo cc @rdegges |
|
Is about cookies vs JWTS. In APIs is not a valid scenario... |
|
Disagree. He is an API builder. I build APIs. Cookies don’t work in certain situations, but that’s orthogonal to JWT. A cookie is a token in an http header. The point of the issue is, when you make a token, you almost certainly should not use the JWT spec to generate it.
Again, if you want to make a token, there’s a number of ways to make it. If you want to preserve state across requests, a cookie one place in the request/ response to put a session token. Someday I’ll write up my own research and experience. I point to Randall because I think he explains from a practical point of view, crypto aside, why JWT is a poor choice for authentication.
Did you know you can use secure http-only cookies over CORS from a static React site? Sounds like an API to me :) (though it’s better to avoid CORS if you can)
… |
Yes, The problem is finding a way to make an API stateless without cookies. JWT take place here... Anyway, I like to debate it :) So, how to implement authentication if you can't use cookies? |
|
I guess we can just encrypt the sensitive data object too and add it to jwt token ? and whenever a request comes decrypt and use it. But would it be time consuming ? Looked at Paseto but couldn't see a NodeJS library built on it i guess it was written in PHP let's keep the conversation running its time we come to a solution.
|
|
This is a really interesting topic. The talk linked to above is my talk which I'm always happy to discuss. It's quite hard to sum it all up into a short Github comment though. The gist of it is this:
In pretty much every single situation imaginable JWTs are worse than just using a randomly generated API key of some sort (or session ID if we're talking about web apps). There is no benefit to using them, only downsides. Instead of using JWTs my recommendation is to keep it extremely simple:
If security is a major concern: store API key secrets hashed using a fast algorithm (intended to allow for many concurrent lookups without hammering CPU/memory/cores with "good" algorithms like argon2, scrypt, and bcrypt). This way key secrets are unrecoverable (like what AWS does) and you can trust them slightly more. |
Yup this works for web app and is fine to an extent. adding csrf to it will slow down any attacker i suppose
But what about a mobile app where we still need to maintain sessions and we actually don't have access to cookies there. Can you suggest ? |
|
|
@paragonie-scott Just to clarify:
The approach of paseto is hiding the algorithm used to generate tokens?
Could provide links about that? Would be useful in this thread! About the other comments like encryption, revoking, data sent inside the token, etc. How paseto improves that? |
It isn't "hiding" the algorithm. The algorithm is pre-negotiated and hard-coded for each "version". There is no ciphersuite agility, you get One True Ciphersuite for each version of the protocol.
https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/
The facts about revocation and caching still apply to Paseto. It's meant to be a cryptographically secure alternative to JWT, but it still has the same use cases and pitfalls of JWT usage (albeit none of the vulnerabilities introduced at the joinery of cryptographic primitives). |
|
@paragonie-scott I look like a JWT Fan 😆
Using By the way, I'll follow up your project waiting for nodejs implementations :). |
|
I am not sure may be this is a silly question. How do you maintain session or validate a logged in user ? If it was a cookie based web app then it was fair and simple but I am talking about a service for mobile app. Please suggest a way. |
We're now off-topic, in my opinion, but let me ask you back: If you never heard of a JWT, would you be able to write an API for a mobile app? (Hint: the answer is yes, and is contained in all the discussions in this issues, and anywhere else people talk about authenticating. e.g. Do you have an AWS account? Can you access the API? You have a client id and secret right? Have you ever used oauth2? Or an auth token) |
|
may be I am missing something. Can you guide me to a resource, this auth thing is too confusing. I am aware of oauth but I don't have a requirement to use social networks for auth tokens. was looking at http bearer but still that method is like anyone with the bearer token can use it if anyone with some browser knowledge can just get it from the header |
I think it can be summed up in one sentence: one can achieve same things with both stateless tokens and plain old sessions. One should not use stateless tokens because plain old sessions already exist. Although I do agree with most of @rdegges slides I do not agree with the conclusion that the stateless tokens are inherently bad. Note how I am not talking about JOSE / JWT but stateless tokens in general. I do agree JOSE / JWT is a cryptographically bad standard and after using it for a while I avoid it now myself too. Stateless tokens are quite useful in m2m communication. My use case usually is to include the scope which the given token is allowed to access. Something similar as GitHub does.
I trust XChaCha20-Poly1305 tokens as much as I trust a randomly generated session id with data stored in tmpfs. Of course you can leak the token the same way you leak passwords and session ids. Whenever and however you credentials you will have problems anyway, no matter what tech you use. Also I think it is bit misleading to say session sessions cookies have had "No vulnerabilities like... forever". Session hijacking has been around for a while. One could of course argue of course this is not a vulnerability in the cookie spec itself but how cookies are used. TL;DR Everything is a compromise. Both plain old sessions are stateless tokens are ok. Most of the time you are good with plain old session. Neither of them are perfect. Avoid JWT though. |
Because those aren't the arguments being made here, at all. Those are straw man arguments. The real arguments are outlined here. Put shortly: JOSE (JWT, JWE, JWS, etc.) is an error-prone cryptographic design. The error-prone nature of its design has led to vulnerable implementations and avoidable cryptographic failures. Nobody's arguing that "If the private key leaks, anyone can fake a token". That's just restating the premise of cryptography. |
|
More on topic: Every PASETO implementation now supports
Additionally, I've submitted the first RFC draft for XChaCha20-Poly1305 to the CFRG to review. If you're interested in symmetric-key authenticated encryption and might want to contribute to this RFC draft, check out the Github repository. |
|
Lots of fud as usual: if the algo is locked, you are just doing fine (regarding OP). PASETO is indeed a better specification, because the algorithm is indeed pre-defined, but it is a non-issue if you are using signed/encrypted tojens with pre-defined algorithms. |
|
The debate revolve around Stateful vs Stateless StatelessA stateless token allow you to easily decoupled parts of your application and split in into microservices. StatefulStateful tokens mean that you will have a SPOF (Single Point of Failure) as you will have session management as a center part of your system. I don't mean that it's a bad architecture, it can be enough for most cases (even more if you run a unique server), but in the case of scalability, it can be painful. StoringFor storing the problem is the same for JWT and Session token too, and for everything that you need to store on the client side ! So no it's not a good argument for or against JWT. JWTJWT content is not encrypted don't forget that!
And that all!! PS: In the case you just want to support only one algorithm for JWT. |
|
the way i use JWT--->
Will try PASETO too |
|
Aside from the above. If you really need more than information, why not include secure information in the additional information field via a fernet key. I use fernet all over the place. This could be used to encrypt scope and limit access in certain ways, pass encrypted data that is pretty hard to change; etc. while maintaining verifiable token scopes, issuer information; other verifiable things. A bearer token is nice for this though. |
|
I am surprised I didn't see references to some RFCs in the discussion yet. I know their are a couple of drafts that don't recommend JWT using implicit or password grants particularly on SPA because the user environment (web browsers) is not constrained unlike a phone app. If you are using it within your own SPA without providing federated services (authorization codes to get access codes) they still recommend server side sessions. https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12 |
and others
Also, link to a longer comment from him about why JWT is a bad plan.
The text was updated successfully, but these errors were encountered: