We have a simple requirement at this time to replace username/password authentication on our web services with authentication using a token. Our customers do not want their web services to be disrupted by password policy that requires changing a password every n months for example. We are doing work to migrate to using an IDP for SSO, but at this time we do not reference an IDP.
I was wondering whether this is a valid/secure implementation, and what issues people see arising from this:
User logs into our application. From their User profile, run a process that generates an RSA private/public key pair. The customer is provided a JWK representation of the full key (private and public), and the application stores the public key in the User profile.
The User stores their JWK in a secure location, and using a provided library, their Web Service calls create a JWT signed with their private key. They will be able to control the claims, expiration, etc. of the JWT, although the claims would have to match what is expected on the Web Service side.
The User runs the web service, inserting the JWT in the Authorization header (Bearer ). The server inspects the JWT to determine the User (I know this is not standard, as we should not be inspecting any part of the HWT before validating), looks up the public key based upon the User, and then validates the JWT using the public key, and assuming success, serves the request.
In this way, we can authenticate without a username/password, the customer maintains control over their credentials (they can generate a new JWK any time they wish), and we do not have the liability of storing/maintaining the User’s private key.
If this is an acceptable way to go, should we consider a way to issue an access token upon initial presentation of the JWT? Should we cache the JWT on the server after the initial authentication, so as to avoid the overhead of validating the JWT upon each web service call? Of course there would be issues if we include a nonce or sign part of the web service content, but I am assuming that using an access code would be vulnerable to the same issues.