Assuring Client is Authorized to use JSON Web Token
JSON Web Tokens (JWT) are server-signed objects that the issuing server uses to identify a user, track session data, and authorize requests.
The fact that JWTs are server-signed gives assurance that the token was produced by someone with access to the server’s private or shared, symmetric key. However, it is important to consider how to ensure that the token is being sent to the server by an authorized user.
One way to address this concern is to trust the client to use Transport Layer Security (TLS) and generally protect the token. Clients are already required to maintain credentials needed for authentication, so securing the token is not a radically different concept. Additionally, JWTs typically have a shorter expiration time than credentials, making them easier to secure.
The JWT RFC states that confidentiality protection must be applied using TLS to protect against information disclosure and tampering.
JWTs are similar to bearer tokens in OAuth 2.0, and the bearer token RFC states that bearer tokens need to be protected from disclosure in storage and in transport. It also emphasizes the use of TLS for securing the token in transit.