TechQA.

Is sending JWT in a query string via email secure?

1.7k views Asked by At

I'm implementing a simple passwordless auth system.

The Auth Server will generate a JWT (based on user's email) and send a link to the user's email in the format http://www.CLIENT-WEBSITE.com/?jwt=aaaa.bbbb.cccc.

The Client website would then store that JWT in local storage and send it in the Auth Header (bearer scheme) in all subsequent requests to the protected API Server to access it. It also immediately redirect to the Client's homepage so if the user chooses to bookmark the page they don't bookmark the JWT in the URL.

Is this a secure implementation? And if it isn't, what would be a better way to send the JWT from the Auth Server to the Client via email?

security authentication oauth-2.0 jwt bearer-token
Original Q&A
1

There are 1 answers

1
pedrofb On BEST ANSWER

Since the email is sent using a SMTP server that you probably do not own and the communication channel could not be encrypted, the general answer is NO, because the message can be intercepted.

If you require a TLS channel to the SMTP and the mail, and you trust in the mail server to accept only TLS to download messages, then the answer could be MAY BE, depending on the IT infraestructure holding the servers.

If the message is encrypted using user's public key, YES the message is secured but you probably do not have that public key

Sending a JWT by mail is risky, I suggest to use a double factor system added to the email link. For example something the user knows like a password or a private data, o something the user has, for example a phone line number ( sending a sms) or a digital certificate(cryptographic key pair generated on client side). If the double factor verification is correct, then issue the JWT

EDITED - added use case

From your comments, you are in the MAY BE scenario. Managing SMTP and email server you can ensure TLS encryption protects transmission of message between servers until the message is delivered to client.

After this you lose control. This means that the user can download the email, forward it, or just store in its machine. The JWT is self-contained and it is valid until expiration time, so anyone in possesion of the token has the keys of the home.

The format of the link is not important but I would change http to https

You have to assess if the risk level is acceptable or to issue the JWT you need to ensure identity adding a second factor check like the one I propose. In the end we must reach a compromise between security and usability

Related Questions in SECURITY

Related Questions in AUTHENTICATION

Related Questions in OAUTH-2.0

Related Questions in JWT

Related Questions in BEARER-TOKEN

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions