So the main purpose here is to show _a_ way that session-token theft can be mitigated. Clearly, this isn't NSA proof or something you'd use to secure a BL5 containment facility, but to prevent session-jacking; if feels like it could help a lot, and would be pretty quick and easy to roll out if an IDP wanted to implement it.
Hat off, You made it! After reading and skimming Show HN: Device-Bound Session Tokens in JavaScript ( https://news.ycombinator.com/item?id=40052684 ) I had "same" idea to explore PoC, but never done. Thanks!
so I don't fully understand what you're preventing
exports the private key if I have a XSS vuln.The recommendation for IP address in the JWT is good, but I don't understand your last recommendation of 1) sending the JWT, 2) additionally sending the base64 JWT in a header 3) sending the signature in the header. The crypto.subtle api only works on https domains so you're not defending against mitm attacks on unsecure networks either. And if we can't trust TLS what can we trust on the web?