JWTs Suck

(for web auth and basically everything else)

@rdegges
@oktadev
 Chief Hacker @ Okta

Randall Degges
Python / Node / Go
 What are JWTs?

- JSON data
- Cryptographically signed
- Not encrypted
- Not special
What’s a Cryptographic Signature?

That's a signature!

Dear Sir/Madam,

The great king of Los Angeles

recently died and left his entire
fortune to you, his distant
cousin.

To claim $10 million dollars he

left you, I'll need your bank
account information...

Randall Degges
What Do JWTs Actually Do?

Prove that some JSON

data can be trusted.
How Do People Typically Use JWTs?

As identity proof
How JWTs are Most Commonly Used

➔ User sends credentials to website to login

➔ Website validates credentials, generates JWT
➔ Website sends response to browser containing JWT
➔ Browser then stores JWT in localStorage
➔ Browser pulls JWT out of localStorage and sends it to
website for subsequent requests
What happens when you Google JWTs?

JWTs are amazing!

JWTs are awesome!
We <3 JWTs!
You're a n00b if you don't use JWTs!
Everyone is wrong.
Everyone has forgotten how amazing
session cookies actually are.
Let’s define some terms...
 Term: Stateless JWT

Definition:

A JWT that is entirely self-contained, and holds all user

information necessary to complete a transaction within it.
EG: userName, firstName, lastName, email, etc…
 Validates token… OK!

It looks like your name

website is Randall Degges, and
your email is
r@rdegges.com
Let me see this
page!

OK Randall, here’s the

web page you
requested.
 Term: Stateful JWT

Definition:

A JWT that only contains a session ID. All user data is

stored server-side and retrieved from a database.
 Session ID 12345 is
Who is the user with Randall Degges. Here
session ID 12345? you go.

Validates token… OK!

Your session ID is 12345. db

website It looks like your name

is Randall Degges, and
Let me see your email is
this page! r@rdegges.com

OK Randall, here’s the

web page you
requested.
 Term: Session Cookie

Definition:

A cryptographically signed session identifier stored in a

cookie. All user data is stored server-side and retrieved
from a database.
 Session ID 12345 is
Who is the user with Randall Degges. Here
session ID 12345? you go.

Your session ID is 12345.

Your signature looks good! db

website It looks like your name

is Randall Degges, and
Let me see your email is
this page! r@rdegges.com

OK Randall, here’s the

web page you
requested.
 BONUS: What’s the difference between a
Session Cookie and a Stateful JWT?

¯\_(ツ)_/¯
- They’re both cryptographically signed
- They both contain a session identifier (12345)

- One uses the JWT format (JSON) and one is just a

simple string
 Term: Cookies

Definition:

An HTTP header field that allows you to store or retrieve

key/value data, set data expiration times, and apply
various other data integrity rules. Caps out at ~4k.
 Creating Cookies

website Set-Cookie: a=b; c=d; e=f

{
"Set-Cookie": "session=signed(12345)"
}

Log me in!
body
 NOTE: Required Cookie Flags

Set-Cookie: a=b; HttpOnly;

SameSite=strict; secure;

No nasty cross-origin SSL only!

cookie sharing!
 Reading Cookies

website

{
"Cookie": "session=signed(12345)"
I see your cookie header
}
and have parsed it! I know
who you are!

Show me a page!
body
 Term: Local Storage

Definition:

A Javascript API that allows a user to store data in a

browser that is accessible only via Javascript. Also known
as “session storage”. Widely considered to be an
alternative to using cookies to store session data.
Myths about JWTs
JWTs are Easier to Use

JWTs:

● First spec draft: Dec 27, 2012

● Began gaining adoption / marketing: mid
2014
● Requires additional tools, libraries, and
knowledge to function (developer effort
required)

Session Cookies:

● Every web framework since 1990s

● Requires 0 effort to use
 Score

JWTs Session Cookies

0 1
 JWTs are More Flexible

JWTs Session Cookies

{
“sessionId”: “12345”, sessionId=12345;
“email”: “r@rdegges.com”, email=r@rdegges.com;
“firstName”: “Randall”, firstName=Randall;
“lastName”: “Degges” lastName=Degges
}
 JWTs are More Flexible

JWTs Session Cookies

{
“userId”: “12345”, userId=12345;
“email”: “r@rdegges.com”, email=r@rdegges.com;
“firstName”: “Randall”, firstName=Randall;
“lastName”: “Degges”, lastName=Degges;
“iat”: “123456789”, Expires=xxxx;
“exp”: “987654321”
}
 Score

JWTs Session Cookies

0 2
 JWTs are More Secure

JWTs Session Cookies

Good:

● Cryptographically signed Good:

● Can be encrypted (JWE)
● Cryptographically signed
Bad: ● Can be encrypted
● Been around since ~1994
● Complex spec / crypto :( ● Well vetted, battle tested
● Multiple vulnerabilities found ● 0 complexity in the spec
in last three years ● No vulnerabilities in like… forever
● Vastly different support in ● Identical library support
libraries everywhere
 Score

JWTs Session Cookies

0 3
JWTs Prevent CSRF
 DETOUR! What is CSRF?
OK! Transfer received!
Sending 1 million dollars to
bank.com bank.com/transfer
jerk@gmail.com!

Checking my - amount ($$)

accounts.... - to (email)

Hey! Check out this

picture of my dog!
<img
src="bank.com/transfer?amount=1
000000&to=jerk%40gmail.com">
 JWTs Prevent CSRF

Cookies Local Storage

● You are still susceptible to ● You are safe from CSRF, but
CSRF have opened yourself up to a
much greater attack vector…
XSS
CSRF is trivial to fix. XSS… Not so much.
Bad News
But… I just won’t use third party JS on my site… So I
can still be secure!
“… In other words, any authentication your application
requires can be bypassed by a user with local privileges to
the machine on which the data is stored. Therefore, it's
recommended not to store any sensitive information in
local storage.”

- OWASP (Open Web Application Security Project)

 Score

JWTs Session Cookies

0 4
 JWTs Are Better for Cross Domain
Looks legit. I just logged *I also generated a JWT
you in with a cookie. that lasts for 10 seconds.

Well, I don’t do login. Now I’m redirecting

login. Redirecting... you to the dashboard
page with ?token=xxx
in the querystring.
www.
This JWT in the
Here’s the login dashboard. querystring is valid.
Log me in! page. Log in. I’m now creating a
cookie for you.

Ok! Here’s my Welcome to the

login info. dashboard page.
 Score

JWTs Session Cookies

0 5
 JWTs are More Efficient

JWT({ sessionId: 'aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL' }) // 179 bytes

signed(aKF271L99Q47Zy9Ds9lCefuizH9wuTjVewxH4yaL) // 64 bytes

~3x larger

~10x -> 100x!

BUT...
 Score

JWTs Session Cookies

0 6
 JWTs Are Easy to Revoke

Someone’s account was

hacked! Let’s change
the signing key!
website website

Log me in!
H4x3d!!! J00r
t0k3ns r m1n3!

My name is Randall,
I’m an admin, I have a 1
hour token.

time
Randall, you are a n00b! If I want
to invalidate an individual JWT I
can just use a revocation list!!
 OK, OK
Has this token
been revoked?

db

website

Yep!
Show me the
page!

Go die.
 Score

JWTs Session Cookies

0 7
 JWTs are Easier to “Scale”

JWTs Session Cookies

Good Good

- Can be validated locally without any - Can use different types of session
necessary external DB access caches to speed up access server-side
(including local memory)
Bad - Requires less bandwidth for users

- This only applies to stateless JWTs, not Bad

stateful JWTs
- Requires more bandwidth on every - Always requires some sort of DB /
request cache to retrieve data
 Session Scaling (basic)

Do we know this person?

website
db
Show me the Yep!
page!

Here’s the page

you requested.
 Session Scaling (advanced)

Who is this guy?

db
website

Show me the db
page! This is xxx.

db
Here’s the page
you requested.
 Session Scaling (super advanced)
Who is this guy?
website

us-east us-west eu
This is xxx.

db db db

db db db

db db db
 Score

JWTs Session Cookies

0 8
 JWTs Are Secure By Design
Randall is a jerk. Revoke
his admin access!

website website
website

Log me in!
Let me delete
everything!

Sure thing, boss!

My name is Randall,
I’m an admin, I have a 1
hour token.

time
 Score

JWTs Session Cookies

0 9
So how should I use
JWTs then, you jerk?
 Rules for Using Tokens

1. They should have a short lifespan (few

seconds)
2. They should only be used a single time

PROTIP: Don't use JWTs though. There are

better, safer, more modern standards for
tokens now (e.g., PASETO).
 JWT Use Cases
Your JWT looks
legit. OK.

file server
website

Give me the file!!

I paid for this
file! Let me
Ok, here’s your
download it!
download token. It
expires in 1 minute.
Here’s the file.
 JWT Use Cases (cont)
This JWT looks legit. I
suppose I’ll let you
reset your password.

website

Ok! I clicked
Reset my password. the link.
Ok! I’ve emailed Ok, your PW
you a link that has has been reset.
a JWT in the URL
which will expire in
30 minutes.
So why are JWTs so popular then?
What else even is
there?!
 PASETO! https://paseto.io

JWTs PASETO

● Lots of different options ● Two options only (local or public?)

(algorithms, use cases, etc.) ● Simple, not confusing
● Confusing / complex spec ● Nearly impossible to implement
● Hard to implement correctly incorrectly
 Thank you!

@rdegges @oktadev
teespring.com/dontusejwts