Due to limitations in the browser client our Websocket libray is sending the JWT token as a query parameter.
I am trying to understand if any security pattern is recommended by the community to mitigate the risk
Can I send a short-term JWT token in the query parameter first and use that to get the main JWT token for authorization ? Is such an exchange feasible ? Please note that this is only needed because the query parameter is exposed the first time. Is this even possible ?
- The HTTP connection is upgraded to a Websocket connection after the first short-term token is authenticaed.
- Since this first token was a query parameter it was exposed.
- First token is exchanged for a second token in the server and sent along to our other distributed sysems.
- This happens every time the ReactJS client opens a new Websocket connection.
- So the first token resides in the ReactJS browser client but the second token is used by other systems, These two tokens should indicate the same authorization. The 2nd token is needed only because the first is exposed.