Background: Authentication and authorization are a huge part already and growing larger every year inside the internet. JWT is a method used to authorize and sometimes authenticate clients or developers to a server/application. JWT is very flexible, which makes it widely used but also vulnerable depending on how the libraries are programmed and how the developers implement the said libraries. This thesis will analyze and test the Best Current Practice (BCP) for JWT which came out in 2020 with current known vulnerabilities.

Objectives: The objective of this thesis is to evaluate whether the best practice in the RFC 8725 standard, published in 2020, remains effective in mitigating security vulnerabilities associatedwith JWS almost 5 years later. Leading to this thesis also delving into research about current known vulnerabilities that applies to JWS.

Methods: This research employes literature review to identify and document the current known vulnerabilities associated with JWS at the time of writing. Furthermore, a JWT library with JWS functionality was developed in accordance with the specifications outlined in RFC 7519 andRFC 7515. To assess the effectiveness of RFC 8725 standard, the outlines and recommendations of the standard that applies to JWS were implemented into the JWT library and application. Finally, a series of tests were conducted on the JWT library and application using the previously identified vulnerabilities to evaluate the RFC 8725 standards security and reliability.

Results: The results presented in this thesis show 10 different vulnerabilities found through the qualitative approach. The experiments made with these vulnerabilities on the BCP show that it is somewhat dependent on the application developer's implementation. Through the controlled experiments it shows that in the worst-case scenario, 8/10 vulnerabilities are still successful even with BCP implemented and best-case scenario 3/10 are successful.

Conclusions: The thesis concludes that 10 different vulnerabilities were found that exploit header parameters, payload claims or signature of JWS. The BCP for JWT applicable to JWS mitigates 2/10 to 7/10 vulnerabilities depending on the application developers. This shows that the BCP could be made better and stricter but with the risk of impeding the flexible nature of JWT. It is shown that the security of the BCP is dependent on the applications usage and implementations. The discussion mentions some improvements that could be implemented in the BCP and about some future works that could be done on this subject.