JWT is named pretty well, but fails miserably at the first problem: invalidation, or How do you log out the user The answer is, you don't. You can't. You (the server) can tell the user's client software to forget their JWT and hope they'll do it, but you can never be sure.Once a JWT is issued, there is no straightforward way to invalidate it before its expiration time. This can pose a problem if a user logs out or if their privileges need to be revoked due to a security concern. To address this weakness, developers must implement additional mechanisms for token revocation.Six threats to JWTs
Allowing the server to use a token without validation.
Using the same private key for different applications.
Using a weak signing algorithm.
Choosing a short and/or low-entropy private key.
Keeping sensitive data in a JWT's payload.
Confusing the keys.
Why is JWT not secure : Just because a JWT contains a cryptographic signature it doesn't automatically mean that it's safe, or that you should blindly trust the token. Unless good practices are observed your APIs can become vulnerable to cyber-attacks.
Is JWT obsolete
The JWT app type will be completely deprecated as of June 2023. New and current users have 12 months to migrate their JWT based solutions to the Server-to-Server OAuth app type. Action recommended: Create Server-to-Server OAuth app types to replace existing JWT app types.
Is JWT a good idea : Information exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be certain that the senders are who they say they are.
Pros And Cons of JWTs
JWTs expire at specific intervals. When a JWT is created it is given a specific expiration instant.
JWTs are signed. Since JWTs are cryptographically signed, they require a cryptographic algorithm to verify.
JWTs aren't easily revocable.
JWTs have exploits.
Sessions as an Alternative.
Secure: Opaque tokens do not contain any user information, making them more secure than JWT tokens. Flexible: Opaque tokens can be customized to store additional user information in the authorization server, which can be retrieved by the resource server when needed.
Is there something better than JWT
OAuth uses both client-side and server-side storage while JWT must use only client-side storage. JWT has limited scope and use cases. OAuth is highly flexible and can be easily used in a wide range of situations.Q: Why is the JWT app type being deprecated A: Our server-to-server Oauth app type will enable our developers to generate an access token without needing user interaction.The information contained within the JSON object can be verified and trusted because it is digitally signed. Although JWTs can also be encrypted to provide secrecy between parties, Auth0-issued JWTs are JSON Web Signatures (JWS), meaning they are signed rather than encrypted.
How do I re-activate it A: JWT apps were deprecated on a rolling basis starting Sept 8, 2023. If your app was deprecated and you need more time, you can re-activate it and get a one-time extension until November 10, 2023. After November 10th, the app will be permanently removed and the credentials will be revoked.
Antwort Why not to use JWT? Weitere Antworten – Why avoid JWT
Problems with JWT
JWT is named pretty well, but fails miserably at the first problem: invalidation, or How do you log out the user The answer is, you don't. You can't. You (the server) can tell the user's client software to forget their JWT and hope they'll do it, but you can never be sure.Once a JWT is issued, there is no straightforward way to invalidate it before its expiration time. This can pose a problem if a user logs out or if their privileges need to be revoked due to a security concern. To address this weakness, developers must implement additional mechanisms for token revocation.Six threats to JWTs
Why is JWT not secure : Just because a JWT contains a cryptographic signature it doesn't automatically mean that it's safe, or that you should blindly trust the token. Unless good practices are observed your APIs can become vulnerable to cyber-attacks.
Is JWT obsolete
The JWT app type will be completely deprecated as of June 2023. New and current users have 12 months to migrate their JWT based solutions to the Server-to-Server OAuth app type. Action recommended: Create Server-to-Server OAuth app types to replace existing JWT app types.
Is JWT a good idea : Information exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be certain that the senders are who they say they are.
Pros And Cons of JWTs
Secure: Opaque tokens do not contain any user information, making them more secure than JWT tokens. Flexible: Opaque tokens can be customized to store additional user information in the authorization server, which can be retrieved by the resource server when needed.
Is there something better than JWT
OAuth uses both client-side and server-side storage while JWT must use only client-side storage. JWT has limited scope and use cases. OAuth is highly flexible and can be easily used in a wide range of situations.Q: Why is the JWT app type being deprecated A: Our server-to-server Oauth app type will enable our developers to generate an access token without needing user interaction.The information contained within the JSON object can be verified and trusted because it is digitally signed. Although JWTs can also be encrypted to provide secrecy between parties, Auth0-issued JWTs are JSON Web Signatures (JWS), meaning they are signed rather than encrypted.
How do I re-activate it A: JWT apps were deprecated on a rolling basis starting Sept 8, 2023. If your app was deprecated and you need more time, you can re-activate it and get a one-time extension until November 10, 2023. After November 10th, the app will be permanently removed and the credentials will be revoked.