I'm trying to design a system where there are as little moving parts as possible. For example, JWT are a great option to avoid having to validate authorization and entitlements through an intermediary. The JWT contains everything you need and has a way to ensures it wasn't tampered with.
However it has one flaw (in my opinion), hijacking. Is there a way have the holder prove the JWT indeed belongs to them, in such a way that it still doesn't require an intermediary?
Consider this analogy, a JWT is like a access card/badge. In order to enter through a door to a high security area, you must swipe your badge and perform a biometrics scan. In order to pass, the encoded data on the badge must meet these conditions:
BTW, by "intermediary" I mean not having to call/contact an external service/API to validate credentials.
However it has one flaw (in my opinion), hijacking. Is there a way have the holder prove the JWT indeed belongs to them, in such a way that it still doesn't require an intermediary?
Consider this analogy, a JWT is like a access card/badge. In order to enter through a door to a high security area, you must swipe your badge and perform a biometrics scan. In order to pass, the encoded data on the badge must meet these conditions:
- The area you are entering is permitted by the access level of your badge
- Your biometrics scan result matches with the biometrics data on your badge
- Your badge was issued by an recognized entity
- The information on your badge has not been tampered with.
BTW, by "intermediary" I mean not having to call/contact an external service/API to validate credentials.
