For securing web and mobile application, authentication plays a vital role.
Session based authentication used to be in trend earlier, where the sessions are persisted on the server side, where the server has to maintain the session, which causes scalability issues. To eliminate such things we can opt for Token-based Authentication
So what is Token Based Authentication?
In simple words, a token is used for authenticating users for accessing the application.
A token is nothing but a piece of data, signed and generated uniquely for a particular user. Token plays a very vital role in authenticating each and every request that is received by the server.
Token Based authentication has become popular in past few years, due to the rise of single page application, the web API’s, mobile app and the “Internet of things”(IoT)
Let’s discuss the advantages of Token-based Authentication.
It is Stateless, the server need not worry about maintaining the user’s session information in the backend. Whenever a request is issued with the proper token, the request is trusted. The Token contains the information about the user. This means it supports server-side scalability.
In native mobile application development, token-based approach simplifies the authentication method.
In Cross Domain/ CORS, cookie-based authentication works well in the same domain and subdomains, but it is more complicated in managing cookies with cross domains.
So how to implement token based authentication?
Here comes JSON Web Token a.k.a JWT for implementing token-based authentication.
Let’s ponder over JWT herein,
“JSON Web Token (JWT) is a JSON-based open standard (RFC 7519) for creating access tokens that assert some number of claims. For example, a server could generate a token that has the claim “logged in as admin” and provide that to a client. The client could then use that token to prove that he/she is logged in as admin. The tokens are signed by the server’s key, so the client is able to verify that the token is legitimate.”
How does the JWT Token look like?
The header contains algorithm and type of token. (Base64 encoded)
The payload contains user info like userId, role, permission.(base64), doesn’t include sensitive info here.
Signature is encrypted by the server with a secret key.( eg HMACSHA256 algorithm.)
Let us look around the structure of JWT token https://jwt.io
Awesome cool……:)
But Wait…….Where to store the Token, How secure it is ? how to send token in the API Calls?
Assuming you have aware of XSS, CSRF attacks.
- Is it safe to store the token in local storage/session storage?
No, it is vulnerable to XSS attack, and experts suggest not to store tokens and sensitive info in the local storage.
https://www.owasp.org/index.php/HTML5_Security_Cheat_Sheet#Local_Storage
https://www.whitehatsec.com/blog/web-storage-security/
- How to prevent it and where to store it?
Store the token in Cookies (HTTPOnly cookie), and also make it secure so the cookie is sent over only in https.Because of this, the XSS vulnerable javascript can’t access “HTTP only” cookie and the cookie is secured from this XSS attack.
- Why store in a cookie, isn’t subjected to CSRF attacks?
Yes!! Storing tokens in cookies and validating it from Server side, is vulnerable to CSRF attacks. The workaround for this is to use the cookie for storing Token and send the token in request headers via X-AUTH-TOKEN by not validating the Token from cookies in server side, instead it must be validated on the Headers
Best Practices of using JSON Web Tokens
- Keep the token secret and safe as discussed above.
- Do not include sensitive information in the payload data.
- Give Token with an expiration date.
- Use HTTPS. Do not send tokens over non-https connections.
How to get started on JWT?
You Have libraries to implement JWT in the language you prefer.
https://jwt.io/#libraries
Hope this explains about Token based authentication and an overview of JWT.