API Security with JSON Web Tokens (JWT)

A JSON web token(JWT) is JSON Object which is used to securely transfer information over the web (between two parties). It can be used for an authentication system and can also be used for information exchange.

Structure of JSON Web Token (JWT):  JSON Web Tokens consist of three parts separated by dots (.) which are:

  • Header: Contains signature algorithm name used to sign the payload
  • Payload: Contains user attributes
  • Signature: Signature value of the payload

eg.  xxxx.yyyyyyyyyyyy.zzzzzz

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned and must be saved locally (typically in local or session storage, but cookies can also be used), instead of the traditional approach of creating a session in the server and returning a cookie.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header might look like the following:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This is a stateless authentication mechanism as the user state is never saved in server memory. The server’s protected routes will check for a valid JWT in the Authorization header, and if it is present, the user will be allowed to access protected resources.

As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.

How miniOrange API Gateway protects your API’s with JSON Web Tokens (JWT):

  1. Request JSON Web tokens (JWT) from OIDC Provider:
    1. Client Application send request for JWT to miniOrange API gateway using credentials of OIDC provider
    2. miniOrange API gateway validates the user credentials from OIDC provider, which in turn returns JWT with specified expiry time
    3. JWT token is sent back to the client application

    Access API’s from API server using JWT header:

    1. Client application makes request to API’s through miniOrange API gateway and received JWT token above as a Authorization Header.
    2. API gateway validates the JWT token signature (using public key provided by OIDC provider)
    3. If JWT token is valid, API gateway forwards the request to the API or Resource Server
    4. Response returned from API server is sent back to the client application

 

The Authorization field is constructed as follows:

    • The authorization method and a space (e.g. “Bearer”) is then prepended to the JWT token.
    • e.g. Authorization: Basic eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODk.SflKxwRJSMeKKF2QT4fwpM

Advantages of using JWT Authentication:

  • No Database calls needed: As JWTs are self-contained, all the necessary information is there inside the token, this implies fewer Database queries and faster response time.
  • Time Based Tokens: JWTs expire at specific intervals making them more secure
  • No Session to Manage (stateless): JWT tokens can be saved in cookies or local storage, instead of the traditional approach of creating a session in the server.
  • Portable: A single token can be used with multiple backends.

Disadvantages of using JWT tokens:

  • Compromised Secret Key :  JWT relies on a single Secret Key. Consider that the Key is leaked, the whole system is compromised.
  • Data Overhead : The size of the JWT token will be more than that of a normal Session token.

What Security Guidelines we follow to secure your API’s:

 

Enforce HTTPS / TLS connection:

We provide an option to enforce the use of HTTP over SSL in API requests, which transfer your credentials securely.

 

Input Parameter Validation to prevent injections:

Validate request parameters on the very first step, before it reaches your API Server. Our strong validation checks blocks the access immediately if input validation fails, which helps to prevent SQL injection and other attacks.

We support the input validation specified by OWASP REST Security guidelines.

 

Timestamp in Request:

Along with other request parameters, we provide option to add a request timestamp as HTTP custom header in API request. The server will compare the current timestamp to the request timestamp, and only accepts the request if it is within the allowed timeframe (60-300 seconds). This will prevent replay attacks from attackers who are trying to brute force your system without changing this timestamp.

 

Digitally Sign API requests and responses:

We support  API requests and responses in signed manner as a added security.

API call with digitally signed requests make sure that API requests are coming from the trusted partner or client.

 

Rate Limiting:

We protect your APIs with rate-limiting to mitigate distributed denial-of-service (DDoS) attacks and protecting the backend applications that process the API calls.