|
|
|
|
|
|
by omgitstom
3654 days ago
|
|
|
Always happy to get feedback. Again, this article was written back in 2014, and will be updated. In regards to your advice about id_tokens and access_tokens. Usually, what I've seen in most attacks is that if a malicious user can get one, they can get both. A lot of your points though are valid outside of using JWTs. Open redirects vulnerabilities should be plugged and sanitizing user input should be looked at regardless of what you are using in a web application. |
|
|
Users tend to be looser with their id_tokens (for example posting on forums, stackexchange, etc) than with access_tokens because they understand the access_tokens are credentials whereas the id_tokens are (technically) not.
Definitely open redirects and the session fixation problems are not JWTs specifically - it's just that they tend to plague applications that use JWTs for transport. I admit it's kind of like telling people that talking on the phone while driving is a bad way to use your seatbelt. It's true - but maybe not scoped enough.