Share via

How to securely transfer a JWT token from an external B2C tenant to an internal app

Clinton van Axel 126 Reputation points
2024-02-10T20:47:46.4+00:00

I have an application that is accessible both internally and externally through a B2C tenant. How can I securely transfer the JWT token to the internal application? application

Microsoft Security Microsoft Entra Microsoft Entra ID
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Igor Iric 80 Reputation points
    2024-02-10T21:15:23.2433333+00:00

    Ensure that the token endpoint is only accessible over HTTPS to secure the token in transit. Implement middleware in App 1 that validates the JWT token's signature, issuer, and audience, and ensures that the token is not expired. Azure AD B2C public keys, used to sign these tokens, can be found at the well-known OpenID configuration endpoint. When App 1 needs to call App 2, it should use the JWT token as a bearer token in the authorization header of the HTTP request. App 2 must also validate the JWT token before processing the request. Ensure that the JWT tokens include claims for scopes and roles. App 2 should authorize requests based on these scopes and roles. Use Azure Monitor and Azure Sentinel for real-time security monitoring and alerts. Consider using Azure API Management as an API gateway to further secure and manage access to your APIs. The API gateway can validate JWT tokens and transform requests without exposing the tokens to additional layers. Handle the refresh tokens securely within App 1, and ensure that the application can obtain new access tokens as needed without user interaction.

    0 comments
  2. Clinton van Axel 126 Reputation points
    2024-02-10T21:21:01.5933333+00:00

    But how do I get the connection to app 3?

    0 comments
  3. Pinaki Ghatak 5,600 Reputation points Microsoft Employee Volunteer Moderator
    2024-02-12T11:24:23.5733333+00:00

    Hello @Clinton van Axel

    I’s essential to note that a JWT guarantees data ownership but not encryption. The token can be seen by anyone who intercepts it because it’s serialized, not encrypted. Therefore, it’s strongly advised to use JWTs over HTTPS to ensure confidentiality during transmission and provide a broader layer of protection for data in transit.

    Now, let’s address your scenario of securely transferring a JWT token from an external application (such as a B2C tenant) to an internal application:

    1. Token Generation and Issuance:
      • Your B2C tenant should issue JWT tokens upon successful authentication. These tokens typically include claims such as user identity, roles, and expiration time.
      • Ensure that the token issuer (B2C) signs the JWT using a private key. The internal application will verify the token’s authenticity using the corresponding public key.
    2. Token Transfer Options:
      • HTTP Headers: The most common method is to include the JWT in an HTTP header (e.g., Authorization: Bearer <token>). The internal application extracts the token from the header and validates it.
      • Cookies: You can store the JWT in an HTTP-only cookie. This approach prevents client-side JavaScript from accessing the token, enhancing security. However, cookies have size limitations.
      • Query Parameters: While less secure, you can pass the JWT as a query parameter (e.g., https://internal-app.com/resource?token=<token>). Avoid this method if possible due to security risks (e.g., logging, caching).
    3. Secure Storage:
      • If using cookies, set the Secure flag to ensure the cookie is transmitted only over HTTPS connections.
      • Use the SameSite attribute to control when the cookie is sent (e.g., SameSite=Strict or SameSite=Lax).
      • Consider setting an appropriate Max-Age or Expires value for the cookie to limit its validity.
    4. Validation and Authorization:
      • The internal application should validate the JWT’s signature using the public key provided by the B2C tenant.
      • Verify the token’s expiration (exp claim) to prevent the use of expired tokens.
      • Check other claims (e.g., user roles) to authorize access to specific resources.
    5. Token Revocation and Refresh:
      • Implement token revocation mechanisms (e.g., maintain a blacklist of revoked tokens).
      • Consider using refresh tokens alongside short-lived access tokens to minimize the impact of token expiration.
    6. Security Considerations:
      • Avoid storing sensitive data (e.g., passwords) in JWT claims.
      • Keep the token size manageable to prevent performance issues.
      • Regularly rotate keys used for signing JWTs.

    Remember that JWTs are a powerful tool, but their misuse can lead to security vulnerabilities. Always follow best practices and consider your specific use case when implementing JWT-based authentication.Further, to use this in Azure please also check these:

    https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens

    https://learn.microsoft.com/en-us/azure/api-management/authentication-authorization-overview

    If this solves your question, please tag this as accepted answer, so it may help further community readers.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.