JSON web tokens Flashcards
Learn about JSON web tokens
What is a JSON web token?
A JSON web token (JWT) is a small, secure way to share information between two parties, typically between a server and a users browser in a safe verifiable way.
What are the three parts of a JSON web token?
The three parts of a JSON web token are the header, the payload and the signature.
What is contained in the header?
The header typically consists of two parts, the type of the token and the signing algorithm being used.
What types of signing algorithms can be used?
The types of signing algorithms that can be used with JWTs are:
- HMAC
- RSA
How does HMAC work?
In HMAC the same secret key is used to sign and verify the token.
How does RSA work?
In RSA the private key signs the token and the public key verifies it, private keys stay secret and public keys can be safely shared.
What does the payload contain?
The payload contains the claims, claims are statements about the entity and additional data.
What are the three types of claims?
The three types of claims are:
- Registered claims
- Public claims
- Private claims
What are registered claims?
Registered claims are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, inoperable claims.
What are public claims?
Public claims can be defined at will by those using JWTs, but to avoid collisions, they should be defined in the IANA JSON web token registery.
What are private claims?
Private claims are custom claims created to share information between parties that agree on using them and are neither registered nor public claims.
How is the signature created?
The signature is created by taking the encoded header, the encoded payload, a secret, the algorithm specified in the header and signing that.
What is the signature used for?
The signature is used to verify that the message wasn’t changed along the way and in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
How is a JWT obtained to access APIs or resources?
- The application or client requests authorisation to the authorisation server.
- When authorisation is granted, the authorisation server returns an access token to the application.
- The application uses the access token to access the protected resource.
What is JWT validation?
JWT validation refers to checking the structure, format and content of a JWT.
- Structure: Ensuring the token has the standard 3 parts separated by a dot.
- Format: Verifying that each part is correctly encoded and that the payload contains expected claims.
- Content: Checks that the claims within the token are correct, eg token isn’t expired or used before its time.
What is JWT verification?
JWT verification involves confirming the authenticity and integrity of the token.
- Signature verification: The primary part of JWT verification. The signature part of the JWT is checked against the header and the payload using the algorithm specified in the header with a secret key or a public key
- Issuer verification: Checking if the iss claim matches the expected issuer.
- Audience check: Check the aud claim matches the expected audience.
Why do you validate a JWT?
You validate a JWT to make sure that the token makes sense, adheres to the expected standards and contains the right data.
Why do you verify a JWT?
You verify a JWT to make sure the token hasn’t been altered and comes from a trusted source.
