Hi,
I have a general question about how we use JWT tokens.
Authentication: This is the most common scenario for using JWT. Once the user is logged
in, each subsequent request will include the JWT, allowing the user to access routes,
services, and resources that are permitted with that token. Single Sign On is a feature
that widely uses JWT nowadays, because of its small overhead and its ability to be easily
used across different domains.
That seems to be our scenario. AFAIK there is no OAuth/OpenID in this system.
Our JWT token from the browser is sent in a header to Rest Endpoint-1. This endpoint
isn't secured. I mean that it can't verify the claims in the token. The claims
don't represent any information related
To this endpoint. It just passes the token along to Endpoint-2 which is capable of
verifying the token.
Is this Endpoint-1 considered insecure now ? It is just a mediator but anyone with the
token can access it. How do I make Endpoint-2 trust Endpoint-1 ?
Thanks,
Mohan
This e-mail and any files transmitted with it are for the sole use of the intended
recipient(s) and may contain confidential and privileged information. If you are not the
intended recipient(s), please reply to the sender and destroy all copies of the original
message. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or
copying of this email, and/or any action taken in reliance on the contents of this e-mail
is strictly prohibited and may be unlawful. Where permitted by applicable law, this e-mail
and other e-mail communications sent to and from Cognizant e-mail addresses may be
monitored.