Sure if you don't implement it properly, but that goes for everything, so...

How about just add a table call "signout_jwt" on db, add it on the table when user signout, than check when log in, if find that is on the db than reject the sign in. After the jwt is timeout, than delete it from the db 🤔

Not with OpenID wich exposes a /logout endpoint. Also, JWT MUST MUST MUST be used to identify YOU, but not to AUTHORIZE you. system: OK so you say that you are Sandipb, let me check and I will store your sesssion if true. OK, this is you, nice, I'm going to check that you are authorized to do this. OK, go for it. Next time I will not go to identity server to check your token, they can callback me if you logout.

This is why its best to only allow a jwt a 5 minute window, at which point a new jwt needs to be authed before more api use.

@@backdownhipi isn't this will make your user log in every 5 minutes? I still don't get the essence of refresh token for this

So can we set a time on the User when they log out so that if a request comes in and we validate that the user is logged in. First. But there would have to way to store JWT on db huh.

that is disgusting 😡

For me: json => JAY-SONG(silent G) jwt => J.W.T

cookies are difficult in case of microservice authentication

The cookies are good for browsers, they are handle automatically by then, and modern implementation allows you to hide the cookie from JS for example, avoiding for example to allow somene to stole your session with script injection flaws. But JWT is really easy to implement in any layer, APIs are not only between your browser and your server, are also server trough server, if you try to handle cookies in your server code you will realize the difference.

Cookies have nothing to do with JWT, even with sessions.

please read what a cookie is.

Authorization services such as Keycloak can control that. Most likely through a number of issued refresh tokens.

Is it not possible to look at the JWT payload and get the user details and maintain the session data to determine the concurrent sessions?

They're not that easily stolen if you send them over HTTPS. The payload may not be encrypted, but an attacker can't modify the payload (i.e. replace your email or user ID with their own) because they would have to make a new signature for that payload, which requires them to have access to the signing key that only the server has

User supplies information to server to authenticate (like username/password or oauth token). Server mints new JWT and sends it back to client, who then stores it in browser storage/cookies. Client makes subsequent requests to server like POST /data to transmit data or GET /user to get their profile or even check if they are still authenticated using this JWT (since a status 401 on GET /user indicates your JWT is no longer good and client can re-route to sign-in page)

They're no more or less likely to be stolen than any alternative access token. The video itself is confusing

The video appears to be confused about different layers of security. JWT is just a serialization format to encode auth metadata. The actual security is guaranteed by the underlying protocols, like OIDC/OAuth2 etc, which mandate state and nonce fields, as well as https/TLS 1.2+ transport.

@@alastairzotos you also need additional mechanisms (state and nonce etc.) to avoid CSRF and replay attacks.

You can disable an access token if it's leaked

I just realized after sending the message that jwts can be disabled also

@@patenlikoyun Yes because they aren't different except for what I noted

@@patenlikoyunyou can't invalidate individual jwt tokens since they are not stored on the server. you can just delete the private key, so all tokens signed using that get invalidated which is a big impact as compared to invalidating individual sessions.

You can also put the client's IP (as seen by the server) in the JWT when creating it. Validate it just as you would the signature, issuer etc. Any attacker getting ahold of the JWT would have to perform the attack from the client's network, rather than sending it back to a Command and Control server/their network.

Nobody knows, I asked and got no replies 😔

If I was to guess After Effects

I also have same question

It is in the description, illustrator and after effects.

Probably After Effects. But it can also be done using Manim

I thought this first, but it's used for signing not encryption.

You sign with the private key so that anyone with the public key can verify the signature

You should never send roles and permissions, that would be a huge security breach. You check roles and permissions based on the ID.

@@biomorphic Based on the claims?

@@biomorphic anyways... I always have doubts on this matter... Because consulting an endpoint that returns your roles and permissions in a normal http request seems very insecure to me

There isn't any security issues putting roles and permissions in a JWT.

@@biomorphic or maybe the authZ policies can be handled at the gateway. btw apart from the roles being public, I don't see any other issue especially if you want the request to be authZ stateless. Preferably I think the best way is to incorporate zanzibar adjacent open source tools to deal with user/service policy at an atomic level.

Although its possible to do it like this, I've never seen anyone generate JWTs on the client side. This entire flow sounds extremely inefficient and counter-productive. You may as well use cookies+session management if you were to implement it like this...

@@doxologistAgreed - general rule is to never trust the client, and that would extend to JWT. @Biomorphic, consider that if your private key is in the mobile app, then you basically just *gave it to an attacker to use themselves*. Generating client side is a crappy idea.

It is not inefficient. Generating a token is not really time consuming. And it is much more secure, and never requires to relogin or to use a session, which are indeed slow and dangerous.@@doxologist

You are wrong. How do you steal a secret that is stored in the keychain? You need to have access to the device, and you need to know the device password to access the keychain, and even if you have access, the value stored in the keychain can be encrypted. At that point you would need to debug the app itself to see which key is used to decrypt. Considering apps are sandboxed, you are not going to do that, not in a million years. And if you manage, that means you have full control of the device. You can't do shit if you don't have access to the device. But you can steal a token generated on the server any time. Also the token generated by the client can't be reused, because it changes for every call, so you cannot even perform a replay attack. And you don't need any fuckin session. To be able to act like that client you need to be able to generate a token with uid, did, exp, nbf, and sign it with the private key, which means you need to have access to it. You can steal the token as many times you want but you cannot ever use it. Meanwhile if you steal a token generated by the server, you can use it multiple times, and even alter it. And by the way, generating a token on the client is what Apple does. You all go for the easiest, or better, the most used solution, which is often the worst. Sessions should never be used. @@marklnz

@@biomorphic 1) not all apps are on Apple. 2) Not all clients are apps. 3) You are naive in the EXTREME if you think for one second that ANY secret on ANY client is completely safe. I'm not going to go into the specifics of anything but attacks on the keychain HAVE been successful in the past. If you build an app and say "I'm generating the token here so I need the private key" then you're making that a requirement for ALL clients of the service you're securing. So a website that uses the same API, for example. That website is going to then ALSO have to have a copy of the private key. Do you see where I'm going with this yet? You're also assuming that all users of the app are *legitimate* users. "You need to have access to the device, and you need to know the device password to access the keychain" - if I'm trying to access your API by generating a fake token then I'm just gonna go ahead and install your app on my device - then guess what? I *have* the device and I *know* the password. FFS man! Get it through your head - NEVER store secrets on a CLIENT!!!! Also, your assumption that I use sessions is wrong. I've NEVER done it that way. Always use JWT, just with *server signing* as you're SUPPOSED TO DO.

I wouldn't have been able to read that file at all. If that error was easy for you to spot, you must be one of those humans.

Tell me you don't know what a JWT is without telling me you don't know what a JWT is 😉