How do Refresh-Token (JWT) avoid to man-of-the middle attack?

1
votes

I recently implement JWT Auth with DotNet core Identity.

I know to reduce the number of authentication to get Access-Token (when it expires in a short time to aim more security) we use Refresh-Token to renew access-token instead of Re-authentication.

I think if a man-of-the-middle try to stole Refresh-Token to get new Access-Token and make a request (hijack token) how the system could find it and reject the request?

I mean is there a solution if JWT has stolen by someone to impersonate, server recognize it and reject it? (I know SSL could help but I am thinking about other ways. for example, encrypt JWT by time and Ip or .... ?)

1
authentication.net-corejwtauthorization

1 Answers

2
votes

Assuming you are using two way SSL between server and client, your concern is mostly moot. The reason is that any man-in-the-middle, should he find a way to intercept, would not even know where the JWT begins and ends. Instead, he would just be stuck with some encoded mess. Hypothetically, if someone got a hold of a JWT, then yes he might be able to impersonate one of your users. This would be no different than someone stealing a credit card and then masquerading as the owner. But, due to SSL the likelihood of this happening is fairly small.