"Is a web app secure just because I use a JWT?"
That is a question I had when I first learned about them.
Learning is important.
I was impressed with how well designed were JWT, OIDC, SAML, and modern Identity Provider (IdP) solutions. The quality of the design I read about in the Request for Comments (RFCs) was impressive. Yet even after reading the RFCs and watching tutorials, something was still nagging at me.
Test assumptions and concerns.
One day I decided to log into one web application and copied the JWT using the Chrome developer tools.
I went to another web application and opened the Chrome developer tools. I added the other site's JWT token and refreshed the page.
A surprise outcome.
I logged in!
I had an active login, but there were multiple errors and missing data within the different views.
After some investigation, I realized the APIs validated the JWTs, but the web application client did not.
What is cybersecurity?
Even well-designed solutions and technologies require secure implementation.
When something is nagging at us, or we suspect a potential flaw, we should take the time to investigate and test it.
Before you go
About the author
Originally published on Patreon