Some clarifications on JWTs taken from the RFC as well as JWT.IO and Auth0's best practices for storing tokens.
They can be used to store sensitive information.
From RFC:
A JWT may contain privacy-sensitive information. When this is the case, measures MUST be taken to prevent disclosure of this information to unintended parties.
From JWT.io:
JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
They can be used for authentication and that is one of their primary use cases.
From JWT.io:
Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
I think it is important to point out that there are security concerns with both Cookies and JWTs (mentioned in Auth0's best practices) that cannot be left unchecked and should be handled delicately.
Auth0 is a great company (I have a lot of friends that work there) -- that being said, they recommend things that other security experts disagree with all the time.
Nobody is perfect.
Auth0 is the main reason JWTs are so popular today, and has a pretty vested interest in encouraging people to use them for authentication (which I strongly disagree with).
There are a lot of resources online of cryptographers speaking against using them for this purpose any why (other than myself).
Don't disagree with your assessment of Auth0. My nit would be the RFC for JWT says quite plainly that there's nothing wrong with storing sensitive data in a JWT so long as it is safeguarded.
That said I don't see much advantage to using a JWT to store anything beyond claims & id.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Some clarifications on JWTs taken from the RFC as well as JWT.IO and Auth0's best practices for storing tokens.
They can be used to store sensitive information.
From RFC:
A JWT may contain privacy-sensitive information. When this is the case, measures MUST be taken to prevent disclosure of this information to unintended parties.
From JWT.io:
JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed—for example, using public/private key pairs—you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.
They can be used for authentication and that is one of their primary use cases.
From JWT.io:
Authentication: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
I think it is important to point out that there are security concerns with both Cookies and JWTs (mentioned in Auth0's best practices) that cannot be left unchecked and should be handled delicately.
Auth0 is a great company (I have a lot of friends that work there) -- that being said, they recommend things that other security experts disagree with all the time.
Nobody is perfect.
Auth0 is the main reason JWTs are so popular today, and has a pretty vested interest in encouraging people to use them for authentication (which I strongly disagree with).
There are a lot of resources online of cryptographers speaking against using them for this purpose any why (other than myself).
Don't disagree with your assessment of Auth0. My nit would be the RFC for JWT says quite plainly that there's nothing wrong with storing sensitive data in a JWT so long as it is safeguarded.
That said I don't see much advantage to using a JWT to store anything beyond claims & id.