0

I am unfamiliar with web token security and I am trying to implement a scenario that requires it without luck so far. I have looked at many tutorials and code examples and projects but they are either too advanced, chunks of code only or clearly state that this code is for learning purpose and not meant for production.

My requirements are the following:

I have 3 services that need to be called by multiple outside dealers web applications.
I need to secure the call from the dealers apps to our app. We will be using SSL to communicate.

I am using JBOSS EAP7 with Java ee and I am planning to use an implementation of JWT (like jjwt).

Typical scenario from what I found online is that the client app calls an authentication service first (that we write) passing the application Id and a secret (String) passcode to get a JWT token. After this, the application passes this token in every call to the 3 services and we have to validate it before honoring each request.

My questions are the following:

  1. When the app calls to get the token, does it need to pass this request encrypted with a public key we provide or there is no need since we're using SSL ? If we need to use private/public keys, is there a simple good example to show how to generate those with Java and how to use them to encrypt/Decrypt the request?

  2. Token Generation. I am not sure if we need to encrypt the token itself before sending it. some sites talk about using base64 encryption, and some talk about encrypting the signature with a private key. I am confused about the JWS and JWE concepts. is there a good example or tutorial that can direct me as to how to generate the token securely?

  3. What is a typical expiration time on a JWT token in a scenario like this, do they need to call and get a new token before every service call ? if the token has expiration, does the client application have to check if it expired before it calls again or it waits until our service returns an error?

  4. Is there a simple example that shows how to pass the token with a request and how to validate it on the server?

  5. Does the client app need to store the token in cookies or session if it can be reused?

Thank you

Alexandru Marculescu
  • 5,569
  • 6
  • 34
  • 50
daoud175
  • 106
  • 1
  • 18

1 Answers1

1
  1. Using PKI is preferable, because you can use the app's public key to validate that the requests does indeed come from a trusted app.
  2. Base64 encoding is used for passing credentials (clientid:secret) in exchange for a (unencrypted) JWT
  3. This depends on your use case scenarios, there's always a trade-off between security and usability. It usually ranges from minutes to hours (or even more), but it certainly has to last for a couple of calls, at least (to avoid a bottleneck due to a large number of requests). Ideally, the client would also check for expiry (for the same reason presented previously).
  4. Google is your friend, there's even dedicated libraries.
  5. The client definitely needs to save the token somewhere in order to be able to reuse it.
Alexandru Marculescu
  • 5,569
  • 6
  • 34
  • 50