Is JWT necessary over HTTPS communication?
Solution 1
Nowadays developers prefer Token-Based Authentication instead of Session. Token-Based Authentication have lots of advantages over Session. We use JWT i.e. JSON Web Token to generate a token after user authentication, every time your front-end app makes an API call so your system should check whether the request has the valid token or not if it is there and it is valid then it considered as the valid user.
In short, we use JWT to validate our API calls it is nothing to do with HTTP or HTTPS
Solution 2
JWT should not be confused with encryption. From jwt.io:
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.
The JWT is signed with public/private key pairs so the sender can be verified, and verified that the payload has not been modified. However, the JSON Web Token is in clear text.
var token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ";
var payload = token.split('.')[1];
console.log('Payload: '+atob(payload))Below is a figure from jwt.io showing the authentication flow when using JWT.
You need SSL/HTTPS to encrypt the communication. Without SSL/HTTPS attackers can sniff the network traffic and obtain the JWT, hence your application is vulnerable to man in the middle attacks.
Solution 3
Is JWT necessary over HTTPS communication?
No. Communication protocol (HTTP v.s. HTTPS) is one thing, and authentication mechanism (JWT v.s. Session) is another -- these are 2 totally different area.
For communication protocol (HTTP v.s. HTTPS), HTTPS can be used alone, without any JWT tokens or sessions. For example, a static web site can be made (only HTML+CSS) and served with HTTPS. In this way, the web site can be certificated by CA and prevent forge attack.
Even if you need authentication in web application, JWT token is not the only choice. Session is old technology but it is still reliable, which made JWT definitely NOT necessary.
Solution 4
No, JWT is not required when your server supports HTTPS. HTTPS protocol ensures that the request & response are encrypted on the both(client & server) the ends.
I believe you would want to send across user credentials in every request to the server, and in turn server validates the user before sending any response from the server.
Although you can do the above, but on the server-end, you would end up validating user credentials against a Database in every request which is a expensive task, you can avoid this when you use JWT.
JWT basically authenticates a user once & issues an access token which could be valid for a duration of time.
Maxime Flament
I'm a 20 year-old student from Paris, who likes entrepreneurship and freelance. I use to develop projects with co-workers, and we're developing an online platform for part-time jobs. I enjoy hearing and seeing difficulties in doing something, because it gives me ideas for projects which could help make things easier. What best describes me is my curiosity, which pushes me to constantly look for something new to learn. I'm currently in fourth year in Computer Science, and did one academic year of Water Engineering at Polytech Nice Sophia during the 2015-2016 year.
Updated on June 13, 2022Comments
-
Maxime Flament almost 2 years
I'm developing a MEAN stack application, and I'm currently setting up an account system. I've seen several tutorials about Authentication, all using JWT.
I am wondering if, JWT could be used as way to secure communication transport over non-secured connection like HTTP?
I've set up HTTPS to communicate from my Angular 4 front-end to my NodeJS + Express back-end, and thus, wondering if JWT are necessary to secure my communications?
-
Maxime Flament over 6 yearsOkay so it's a way to make sure the user is authenticated and validate its authentication when requesting a service in my back-end that requires being authenticated? I've seen several videos/tutorials (see: jwt.io/introduction) telling that JWT are used to secure communication over HTTP because they're encrypting the data that is transported, and they can ensure that the data wasn't modified, i.e., its integrity hasn't been compromised
-
MeVimalkumar over 6 yearsThat too correct. Watch this. youtube.com/watch?v=K6pwjJ5h0Gg -
shaochuancs over 6 yearsJWT may be better than Session, but it is definitely NOT necessary.
-
shaochuancs over 6 yearsI think OP is confused on 2 different concept of "secure": secure of communication v.s. secure of account and website content
-
Maxime Flament over 6 yearsThat's it, I wasn't getting the real usage of JWT, that is the fact that it is used to replace sessions, and I thought it had the same job than HTTPS
-
Maxime Flament over 6 yearsYes it's not necesary, but my question was: is using JWT over HTTPS necesary? But thanks for pointing out that sessions can be used to verify the authentiacation of a user!
-
shaochuancs over 6 years@MaximeFlament Well, for "using JWT over HTTPS", I still don't think it's necessary -- of course, it's a good solution, but there are many other good solutions too. Some web site don't even have its own account system and using 3rd-party login service instead -- in this case, the web site does not maintain its own JWT token
-
Spomky-Labs over 6 years -
Spomky-Labs over 6 yearsJWT can be used in through HTTP connections. It just depends on the application context. It can also be encrypted: see tools.ietf.org/html/rfc7516
-
Maxime Flament over 5 yearsNo, I don't want to leak users credentials.. That's a really huge vulnerability! I wanted to cipher the data exchanged between clients and an API, thus, HTTPS can do the job. However, I also needed to ensure that users are authenticated. In a stateless configuration, where sessions don't exist, JWT is a solution because this "protocol" has an authentication property + it guarantees the integrity of the message.
-
Maxime Flament over 5 yearsThe last property I was looking for was the identification property, which is provided by HTTPS certificates validation (done on client side, when receiving the domain's certificate). When I say "identification property", I'm using the crypto meaning of this word, i.e., a machanism to ensure that data received by Bob from Alice has actually been sent by Alice (and not by an attacker faking he's Alice).
-
duhaime almost 5 yearsThis really doesn't answer the question, which is about the security of information exchange using JWT over encrypted/non-encrypted protocols... -
Michael almost 5 yearsActually that is JWS (one branch of JWT) whereas JWE (another branch of JWT) actually encrypts the payload. -
Vector almost 4 yearsThis is the best and most thorough answer. I use JWE for our authentication management because it encrypts ALL the data which then is again encrypted if it is over HTTPS. I feel like this is the best solution. It does have drawbacks. While it does encrypt the entire token along with all data contained in the token (not just the signature,) it makes the token so large (due to the high encryption standard and small amount of data in the token) that it barely fits inside the maximum size of a cookie for most browsers. So, there's that. -
Lo-Tan over 3 years"JWT can be used in through HTTP connections" <- this is an extremely dangerous mention if you don't follow it up with "but don't do that". It's like saying you can stick passwords into a database in plain text. You can, but you sure shouldn't. If you transmit JWTs over clear text HTTP, they can be hijacked, and that means an entire user's session can be stolen. JWTs are sensitive information and should be transmitted as such. Please transmit your token/session identification information over HTTPS!
-
Roshan over 2 yearsYes, I agree , this is the best explanation with regard to the question , especially when JWT can be sniffed using MITM attack, if passed over HTTP , the same goes for Session token based like JSESSIONID cookie for example.
