This project aims to study and test the security of Flask-JWT-Extended python library. As the name says, it adds support for using JSON Web Tokens to Flask in order to protect specific views.
It implements a basic application with a single protected route that will be responsible for validating the tokens during the tests routines.The tests where developed based on the JWT known vulnerabilities and best practices.
[RFC7515] Jones, M., Bradley, J. and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015.
[RFC7516] Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, May 2015.
[RFC7519] Jones, M., Bradley, J. and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, May 2015.
[Langkemper] Langkemper, S., "Attacking JWT Authentication", September 2016.
[Sheffer] Sheffer, Y., Hardt, D. and Jones, M. B., "JSON Web Token Best Current Practices", Internet-Draft draft-ietf-oauth-jwt-bcp-04, November 2018.
[Oftedal] Oftedal, E. et al. "REST Security Cheat Sheet", September 2018.
[Peyrott] Peyrott, S. "A Look at The Draft for JWT Best Current Practices", April 2018.