You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using JWTs as sessions is not recommended by several large security companies and not spring boot themselves and that there is a reason as to why spring security does not have a JWTFilter built in by default.
There are several blog posts advising you from not using JWTs as sessions. That dates back to 2016.
The latest draft from RFC draft from ietf (the managers of auth2) has updated their recommendations for the implicit flow (authentication and handing out tokens straight to public clients, aka browsers) to SHOULD NOT, meaning that any new development of such logins should not be implemented.
And as previously the Resource Owner Password Credentials Grant has the MUST NOT recommendation, which means basically that this should never exist on the internet.
The current recommendations by spring security is to implement Oauth2, using the BFF pattern, following a standard like Open ID connect, which hands out all tokens to browsers using cookies, that have the Secured, HttpOnly, and SameSite flags set.
Which means that all blogs/videos that are showcasing JWTFilters that are using JWTs as sessions are not recommended.
There also several vulnerabilities with the approach in this repo as listed by:
For instance, in this solution, you cant logout the user. And no, deleting the token from the front end does not mean the user is logged out.
JWTs are to be used as single one shot tokens between microservices, and should not be handed out to browsers, especially not be accessible by javascript in browsers, as this is extremely dangerous.
The text was updated successfully, but these errors were encountered:
Using JWTs as sessions is not recommended by several large security companies and not spring boot themselves and that there is a reason as to why spring security does not have a JWTFilter built in by default.
There are several blog posts advising you from not using JWTs as sessions. That dates back to 2016.
https://developer.okta.com/blog/2017/08/17/why-jwts-suck-as-session-tokens
https://redis.io/blog/json-web-tokens-jwt-are-dangerous-for-user-sessions/
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-for-sessions-part-2-why-your-solution-doesnt-work/
https://www.youtube.com/watch?v=GdJ0wFi1Jyo
The latest draft from RFC draft from ietf (the managers of auth2) has updated their recommendations for the implicit flow (authentication and handing out tokens straight to public clients, aka browsers) to SHOULD NOT, meaning that any new development of such logins should not be implemented.
And as previously the Resource Owner Password Credentials Grant has the MUST NOT recommendation, which means basically that this should never exist on the internet.
The current recommendations by spring security is to implement Oauth2, using the BFF pattern, following a standard like Open ID connect, which hands out all tokens to browsers using cookies, that have the Secured, HttpOnly, and SameSite flags set.
Which means that all blogs/videos that are showcasing JWTFilters that are using JWTs as sessions are not recommended.
There also several vulnerabilities with the approach in this repo as listed by:
OWASP:
https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
IETF:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#name-attacks-and-mitigations
Stack Overflow answers:
https://stackoverflow.com/questions/77591848/spring-security-6-use-jwt-tokens-instead-of-jsessionid-after-oauth2-login/77592667#77592667
For instance, in this solution, you cant logout the user. And no, deleting the token from the front end does not mean the user is logged out.
JWTs are to be used as single one shot tokens between microservices, and should not be handed out to browsers, especially not be accessible by javascript in browsers, as this is extremely dangerous.
The text was updated successfully, but these errors were encountered: