Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?

Are JWT’s the way to go in my situation?

I am working on a personal project for learning reasons, and have come to the point of authenticating and authorizing users. I would like to keep the project as stateless as possible, to make sure it can run on either 1 or 100 machines without much effort.

Here is my current plan of action for my users on this microservice architecture:

  1. A user goes to an MVC application that serves a game. They are not logged in, so are redirected to a login page.

  2. Upon successful login, the MVC app sets a JWT in the user’s cookies. The JWT only contains the user id and their claims (user, admin, etc). The JWT logic is managed by IdentityServer4.

  3. The user is logged in to the MVC app and can play a game. The user posts whatever move they want to make, and the ID of the game they are playing.

  4. The MVC app uses the user id and claim in the JWT to retrieve the game being played from a Redis cache. The move the user posted is processed. The resulting game state is stored in Redis.

  5. User receives the current game state from the server. Repeat from step 3.

My question: are JWT’s a good use case for the above scenario? Or are there any downsides I may have missed?

What does “claim name collision” mean in the context of JWTs?

Recently, I have been reading the JWT’ RFC and I’m struggling to understand the meaning of claim names collision.

The registered claim names are more or less clear. If I got it right, these are addressed to provide JWT specification with a set of claims out of the box. 1

However, when it comes to public and private claims, I don’t see it so clearly. My question is regarding public and private claim names collision.

Public

Claim Names can be defined at will by those using JWTs. However, in
order to prevent collisions, any new Claim Name should either be
registered in the IANA “JSON Web Token Claims” registry established
by Section 10.1 or be a Public Name: a value that contains a
Collision-Resistant Name
. In each case, the definer of the name or
value needs to take reasonable precautions to make sure they are in
control of the part of the namespace they use to define the Claim
Name.

Private

Private Claim Names are subject to collision and should be used with caution.

What does collision mean in this context? How can claim names collide when there is only one authentication and authorization provider? Are not these providers aware of the claims they populate and verify?

Could it be possible that a secondary auth provider could change the JWT payload so that it could override some of these claims?

Probably, I’m missing something important regarding the authentication and the authorization workflow, but I don’t know what. Or maybe I’m not getting the definition of collision because of my limited English skills.


1: I have checked out a couple of JWT APIs in Java and I have confirmed that these claims can be informed through dedicated methods/functions (unlike public o private claims whom are informed like a tuple key-value).

Is localStorage a security liability for JWTs?

I’m using JSON web tokens for authentication in my app. Since data is pulled from protected routes in the API, security tokens are stored in the frontend.

My question is this: Is using HTML’s localStorage to store JWTs (nothing else) an unsafe option compared to cookies? I understand cookies have their own disadvantages, but I’m looking for the safest way available to store a JWT locally. Thanks in adfvance!