Is it ok to store user credentials in the JWT
You should use jwt only to store a token which your API will consume. The token will be generated after a successful login and it can be attached to any request sent to your API and all request should be proceeded only if the token is valid.
The JWT is the result of the authentication. For example
- User sends his credentials (e.g. username/password) to an authentication service. It could be a third party one or one inside your monolith or your own microservices dedicated to authentication.
- The service validates username-password. If authentication success it returns an JWT that represents that the user is already authenticated, in other words he is who claim he is. This JWT could contain a payload without sensitive information (don't store the password here).
- The user sends another request to a service business with the JWT. If the JWT isn't expired and is not corrupted (the sign is still valid) then the service could trust in its JWT. Maybe this task will be delegated to an authorization service.
What is inside the JWT token?
Well, the simplest JWT contains information about the sign (I can't enter in much detail here because I'm not a security expert) that allows to check if the sign has been corrupted when a request with the JWT is received.
This information can be verified and trusted because it is digitally signed
Besides that, the JWT allows to send a payload.
More formally, the JWT is composed by:
- Header: type of the token + hashing algorithm being used
- Payload: Claims are statements about an entity (typically, the user) and additional metadata.
- Signature: The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
For example, if I send a request to a authentication service with my credentials username:password being gabriel:giussi, it will check these credentials and if they're OK it could create the following JWT:
Then with every request I will then the encoded JWT that contains my username and the service will
- Perform authorization (What Gabriel is authorized to do?) if the JWT sign is valid.
- Ask me to login again if the JWT has expired
- Return an authentication error if the sign is broken.
Shortly: yes, it is OK to pass/receive sensitive data in JWT if you encrypt the data before placing into JWT's payload and decrypt it after the JWT validation to use it.
In a general case you would not need to keep user credentials in the JWT because the JWT is by itself a dynamically generated credential that represents the login / password provided at the JWT's first generation time.
1.1 You could however pass something that is not as sensitive as pure login / password but still bears the valuable information you need at the JWT validation time. It can be user ID (in a sub claim, hashed if desired), or access level code or the like.
Nevertheless if you wish you can pass the sensitive information with JWT. And this is all pretty easy as per below.
2.1 For sensitive data you could use your specific private claims in the JWT's payload, e.g.:
{ // These are registered claims: (see https://www.rfc-editor.org/rfc/rfc7519#section-4.1) "sub": "1234567890", "name": "John Doe", "iat": 1516239022 // There can be some public claims you are not afraid to expose to the world // these are omitted here for brevity (see https://www.rfc-editor.org/rfc/rfc7519#section-4.2). "omitted": "for brevity", // And here can go some private claims you wish to include in the payload, e.g.: "sensitiveInfo": { "username": "admin", "password": "12345", "account_balance": 10000, "etc": "something else" } }
2.2 The
sensitiveInfo
payload key by default is only base64-encoded (so it is easily read by anyone who gets the JWT). To make it secure you can encrypt it with some external module (e.g.crypto
orbcrypt
on NodeJS or PHP's techniques of your choice).2.3 In this case:
- At the JWT generation step you have to encrypt the key's data before you provide the entire payload to JWT generator.
- At the JWT validation step, after the JWT successfully passes the standard validation (e.g. jsonwebtocken
jwt.verify()
in Node) you get the decoded payload with encrypted data insensitiveInfo
key. You now just have to decrypt the data and use it as you planned.
This is it.