I like one of the answers in this Reddit post.
Allow or deny at entrance
"Imagine you run a theme park with a whole bunch of rides. People pay once at the entrance gate and can go on any rides they want, so you assume that anyone who gets into the park must have paid their way in, so you don't think you need to check if people have paid before they get on the rides."
- This is the analogy of the traditional VPN.
Check presence of ticket for every rides
"You realise that some people are climbing over the fence and getting on all the rides for free. You decide to issue everyone who comes through the entrance with a ticket, and instruct your ride operators to check that people have tickets before letting them on the ride."
- This is the analogy of the zero-trust model.
Verify the validity of the tickets
"This works for a while, but soon you realise that people are buying one ticket then climbing over the fence on their subsequent visit, only paying once instead of twice. Even worse, some people bought one ticket and are now giving away photocopies of it for free. To fix this you get your salesperson to write the date when the ticket was issued on the ticket and sign it. You then tell the ride operators to make sure that the ticket is in date and the signature matches. Now you know that a ticket came from your salesperson, and it can only be used once."
Lessons
- If you don't check your JWTs at all, literally anyone could get data from your API.
- If you check for the presence of a JWT but don't verify it, people can present whatever JWT they want and get the API to think that they're anyone.
- Your API is only secure if you verify that you trust it before using it.