Using JSON Web Tokens (JWTs) to secure your APIs has become an ad-hoc standard in the IT-industry. However, the underlying concepts and mechanisms can be complex and are often misunderstood.
General advice when using JWTs
Using JWTs to handle sessions introduces new risks. Allways do a thorough risk assessment before you deploy to your production environment.
Using JWTs assumes that all involved secrets are handled in a proper way in both API-clients and APIs. Secrets could be both passwords and cryptographic key material. Always make sure your secrets are kept safe!
Do not accept unsafe JWTs with the JOSE header {"alg": none; }. JWTs should always be signed and should use a valid and correct signature scheme
If a JWT contains sensitive data it should be encrypted
Things to consider when using Access Tokens
A "self contained" JWT can not be revoked until it expires. Consider using referenced tokens if the token provides access to sensitive or high-risk data.
Access Tokens should have a life-time that is as short as possible.
As a general principle: the more sensitive data an API exposes the shorter the life-time should be.To enhance the user experience sessions with a long life-span should be combined with Access Tokens that have short life-span. You can acheive this by using refresh tokens on the client.
Always verify the integrity of the JWT
Always validate the token signature
Make sure your libraries and frameworks always validates the token signature
HelseID only offers signatures based on asymmetric algorithms
DO NOT BLINDLY TRUST THE VALUE IN CLAIMS
Examples:
“kid” - do not perform certificate requests before the values are validated and verified
“jku” or “x5u” are header values that point to a URL. Do NOT follow these URLs before they are validated in order to avoid SSRF attacks
Always validate claims in the access tokenet
Always verify the "exp" claim to make sure the token hasn’t expired
Always verify the claim "nbf" to make sure the token actually is "active"
Always verify the claim "iss" to make sure that the token issuer is someone you actually trust
Always verify the claim "aud" to make sure that the token is intended for you
Reject the request if the "aud" claim is missing
If you use "scopes" for access control you must always make sure that the values in the “scope” claims are valid and correct.
Always validate and verify that the value in the claim "security_level" corresponds with the requirements for your API.
Always validate and verify the value in the claim "pid".
Always validate and verify the value in the claim "hpr_nr".
Always validate and verify the value in the claim "orgnr".