1
Associate Professor of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt
(ehab.rushdy@gmail.com)
2
Professor of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt
(khedrw@yahoo.com)
3
Department of Information Technology, Faculty of Computers & Informatics, Zagazig University, Egypt
(nihal.radwan@hotmail.com)
Abstract :
JSON Web Token (JWT) is a compact and self-contained mechanism, digitally authenticated and trusted, for transmitting data between various parties. They are mainly used for implementing stateless authentication mechanisms. The Open Authorization (OAuth 2.0) implementations are using JWTs for their access tokens. OAuth 2.0 and JWT are used token frameworks or standards for authorizing access to REST APIs because of their statelessness and signature implementation and JWT tokens are based on JSON and used in new authentication and authorization protocols in OAuth 2.0 because of their small size. When refresh tokens are stored in cookies, the size limit of a cookie or URL may be quickly exceeded. There may be refresh tokens for accessing users and getting the refresh token is a bit more complicated and refresh tokens in the browser require additional security measures and the attacker steals a refresh token and attempts to use it after the application has already used it. This implies that the attacker was able to steal a refresh token from the application. If the refresh token can be stolen, then so can the access token, even short token lifetimes can still lead to major abuse scenarios. In this article, we discuss the security properties of refresh tokens in the browser and the pattern to secure JWT tokens in the web front-end better. We propose a Backend for Frontend (BFF) pattern, where the token handling is deferred to the server-side component to a secure token that provides a lot of flexibility to the client-side.
Keywords :
Authorization , Authentication , JWT , BFF , Security
References :
1. Fielding, R.T. and R.N. Taylor, Principled design of the modern Web architecture. ACM Transactions on Internet Technology (TOIT), 2002. 2(2): p. 115-150.
2. Hardt, D., The OAuth 2.0 authorization framework. 2012, RFC 6749, October.
3. Jones, M., B. Campbell, and C. Mortimore, JSON Web Token (JWT) profile for OAuth 2.0 client authentication and authorization Grants. May-2015.[Online]. Available: https://tools. ietf. org/html/rfc7523, 2015.
4. Fielding, R., Representational state transfer. Architectural Styles and the Design of Netowork-based Software Architecture, 2000: p. 76-85.
5. Auth0. OAuth 2.0 Authorization Framework. 2013 April 19, 2021]; Available from: https://auth0.com/docs/protocols/protocol-oauth2.
6. Peyrott, S.E., The JWT Handbook. 2017.
7. Ehab rushdy, W.K., Nihal salah, Framework to secure the oauth 2.0 and json web token for rest api. Journal of Theoretical and Applied Information Technology -- Vol. 99. No. 09 -- 2021
8. Auth0. Introduction to JSON Web Tokens. Available from: https://jwt.io/introduction/.
9. Guo, X., S. Jin, and Y. Zhang. XSS vulnerability detection using optimized attack vector repertory. in 2015 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery. 2015. IEEE.
10. Wichers, D., Owasp top-10 2013. OWASP Foundation, February, 2013.
11. Sharing, W.C.C.-O.R. Cross-Origin Resource Sharing. 16 January 2014; Available from: https://www.w3.org/TR/cors/.
12. Adam, A. Microservices design patterns for CTOs: API Gateway, Backend for Frontend 2019; Available from: https://tsh.io/blog/design-patterns-in-microservices-api-gateway-bff-and-more/.
13. Abbott, M. BACKEND FOR FRONTEND (BFF) PATTERN. 2019; Available from: https://akfpartners.com/growth-blog/backend-for-frontend.
14. Syafariani, F., Application of Backend and Frontend Systems on Go-Baby Application in Bandung City. International Jurnal of Recent Technology and Engineering (IJRTE), 2019. 7(6s5): p. 125-131.
15. Newman, S. Backends for frontends. 2015; Available from: https://samnewman.io/patterns/architectural/bff/.
16. Brown, K. and B. Woolf. Implementation patterns for microservices architectures. in Proceedings of the 23rd Conference on Pattern Languages of Programs. 2016.
17. Ethelbert, O., et al. A JSON token-based authentication and access management schema for Cloud SaaS applications. in 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud). 2017. IEEE.
18. Leiba, B., Oauth web authorization protocol. IEEE Internet Computing, 2012. 16(1): p. 74-77.
19. Yang, F. and S. Manoharan. A security analysis of the OAuth protocol. in 2013 IEEE Pacific Rim Conference on Communications, Computers and Signal Processing (PACRIM). 2013. IEEE.
20. Li, W., C.J. Mitchell, and T. Chen. Mitigating CSRF attacks on OAuth 2.0 systems. in 2018 16th Annual Conference on Privacy, Security and Trust (PST). 2018. IEEE.
21. Solapurkar, P. Building secure healthcare services using OAuth 2.0 and JSON web token in IOT cloud scenario. in 2016 2nd International Conference on Contemporary Computing and Informatics (IC3I). 2016. IEEE.
22. Ethelbert, O., et al. A JSON token-based authentication and access management schema for Cloud SaaS applications. 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud) 2017; 47-53].
| Style | # |
|---|---|
| MLA | Ehab Rushdy , Walid Khedr , Nihal Salah. "Managing a Secure Refresh Token Implementation with JSON Web Token in REST API." International Journal of Wireless and Ad Hoc Communication, Vol. 2, No. 1, 2021 ,PP. 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |
| APA | Ehab Rushdy , Walid Khedr , Nihal Salah. (2021). Managing a Secure Refresh Token Implementation with JSON Web Token in REST API. Journal of International Journal of Wireless and Ad Hoc Communication, 2 ( 1 ), 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |
| Chicago | Ehab Rushdy , Walid Khedr , Nihal Salah. "Managing a Secure Refresh Token Implementation with JSON Web Token in REST API." Journal of International Journal of Wireless and Ad Hoc Communication, 2 no. 1 (2021): 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |
| Harvard | Ehab Rushdy , Walid Khedr , Nihal Salah. (2021). Managing a Secure Refresh Token Implementation with JSON Web Token in REST API. Journal of International Journal of Wireless and Ad Hoc Communication, 2 ( 1 ), 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |
| Vancouver | Ehab Rushdy , Walid Khedr , Nihal Salah. Managing a Secure Refresh Token Implementation with JSON Web Token in REST API. Journal of International Journal of Wireless and Ad Hoc Communication, (2021); 2 ( 1 ): 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |
| IEEE | Ehab Rushdy, Walid Khedr, Nihal Salah, Managing a Secure Refresh Token Implementation with JSON Web Token in REST API, Journal of International Journal of Wireless and Ad Hoc Communication, Vol. 2 , No. 1 , (2021) : 01-20 (Doi : https://doi.org/10.54216/IJWAC.020101) |