Blogs on Claes Jonsson

JWT Security Issues

Tue, 21 Mar 2017 00:00:00 +0000

JWT Security Issues Security concerns Signature Stripping A malicious party can simply strip the signature, remove the encryption algorithm header so it seems no signature is provided, and then go ahead and alter the payload. If the client does not explicitly require a signature to validate against, this would be a valid, unsigned JWT. Remedy: Always require a signature by failing validation if no signature is present; this must be the very first thing in the processing of the request, so no further processing can take place.

Trust between Event Driven Microservices using JWT

Fri, 24 Feb 2017 00:00:00 +0000

Introduction

In the previous post in this series of posts about JWTs, I presented an example of how JWTs can be used to establish trust between microservices. In this post I will show an example how this can also be used in an event driven microservice system.

Establishing Trust between Microservices using JWT

Wed, 15 Feb 2017 00:00:00 +0000

Introduction

In case you are unfamiliar with JWT (JSON Web Tokens) you can think of them as credentials you can use whenever a proxy or stand-in need to represent a user of any kind; human, another microservice or another system altogether. Besides the token itself, they can contain additional information that is cryptographically verifiable, meaning the information, whether is authorization claim, service request data or any other information, is secure against tampering.

Introduction To JWT

Tue, 07 Feb 2017 00:00:00 +0000

Introduction

From the introduction at jwt.io :
“JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.”

So what is it really and how can you benefit from them?