What is a JWT?
A JWT comprises three parts: a header defining the token type and signing algorithm, a payload containing claims (statements about the entity), and a signature ensuring data integrity. Claims typically include issuer (iss), subject (sub), audience (aud), expiration time (exp), and scopes (scp). Microsoft Entra ID signs JWTs using rotating RSA keys, enhancing security by limiting the impact of key compromise. The structure allows for a compact and self-contained way to transmit information between parties.
JWT in Australian tenants today
Australian organisations leveraging Microsoft 365 frequently use JWTs for Single Sign-On (SSO) and API access. However, careful consideration is needed. Long-lived JWTs increase the window of opportunity for attackers. The lack of a built-in revocation mechanism necessitates solutions like Conditional Access (CAE) to manage token validity. The legacy ‘none’ algorithm, while technically valid, presents a significant security risk and is discouraged, as evidenced by CVEs. Furthermore, storing JWTs in browser localStorage exposes them to cross-site scripting (XSS) attacks, a risk highlighted by the OAIC’s guidance on data security.