Using JWT with Active Directory authentication in NodeJS backend

Question

I am building an intranet web application consisting of an Angular frontend and a Node.JS backend. The application needs to use the corporate Active Directory for authentication

Answer 1

1) Is it reasonable to combine AD authorization with JWT as bearer token or what is the preferred way to build a secure backend + frontend utilizing AD for authentication?

It is reasonable, but if you are already using Kerberos and AD to initially authenticate the user, you might consider using s4u2proxy constrained delegation which allows the service to present the user's service ticket to the KDC and acquire (subject to authorisation checks) a ticket for a backend service (and repeat for as many services are necessary).

If you have a lot of backend services that need to be contacted, a single JWT bearing all the authorization claims needed for all the services to enforce authorization policy may be a better option.

2) If JWT is a good idea, what is the best practice for securing endpoints using JWT? Is using a server side session reasonable?

General key security practices apply:

• Never store keys in the clear in non-volatile storage, anywhere.
• Ideally do not store encrypted keys in attached storage on the server where, if the server is compromised, they would be subject to offline attack. Make them available to the host only at server startup.
• Ensure key material resides in secure memory so that it cannot be swapped to disk (and/or use encrypted swap).
• Use public key algorithms so that no secret key need exist on multiple hosts.
• Consider using a hardware security module (HSM).