Understanding JSON Web Tokens (JWTs) in Web Applications

Questions and Answers

What is the primary purpose of JSON Web Tokens?

To coordinate internet protocol resources

To create custom JavaScript objects

To compress JSON objects for faster transmission

To securely transmit information between two parties (correct)

What is the purpose of a JWT signature?

To create a custom claim type

To verify that the JWT wasn't tampered with or changed (correct)

To verify the user's identity

To store sensitive information

What is the typical structure of a JSON object?

Enclosed in parentheses and may contain one or more key-value pairs

Enclosed in curly braces and may contain one or more key-value pairs (correct)

Enclosed in angle brackets and may contain one or more key-value pairs

Enclosed in square brackets and may contain one or more key-value pairs

What is the secret used in creating a JWT signature?

A symmetric key known by the sender and receiver of the token

What is the main component of a JWT header?

Type and signing algorithm

What is the 'typ' field in a JWT header specifying?

The type of token being created

How is the final JWT created?

Concatenating the encoded header, encoded payload, and signature, separating each with a period

What is the purpose of the 'alg' field in a JWT header?

To specify the signing algorithm

What is the risk of storing a JWT in localStorage?

Cross-Site Scripting attacks

Why are JWTs preferred over alternatives like XML or SAML?

They are easier to parse and process

What type of claims can a JWT payload contain?

Registered claims, public claims, and custom claims

What is the purpose of registering public claims?

To avoid collisions with registered claims

What is an advantage of using JWTs?

They are small and scale well

What is the significance of IANA in the context of JWTs?

It coordinates internet protocol resources

What should not be stored client-side, even if it is encoded?

Sensitive information, like passwords or Social Security Numbers

What is the purpose of a private claim?

To be used between parties that have agreed to use them

How is the JWT sent to the server?

In the Authorization header using the Bearer schema

What happens if the JWT is invalid?

The browser will likely receive an error message

What is the main purpose of the 'alg' field in a JWT header?

To specify the signing algorithm

What is the purpose of registering a public claim?

To avoid collisions with other claims

What is a characteristic of a JWT payload?

It contains claims about an entity

What is the significance of the 'typ' field in a JWT header?

It specifies the token type

What is a characteristic of a JSON object?

It is a slightly stricter version of a JavaScript object

What is the purpose of a JWT?

To compactly and securely transmit information between two parties

What is a type of claim that can be contained in a JWT payload?

Registered claims, public claims, and private claims

What is the purpose of digitally signing a JWT?

To ensure the integrity of the token

What is the main reason to avoid storing JWTs in localStorage?

Because it's vulnerable to Cross-Site Scripting attacks

What is the benefit of using JWTs for information exchange?

They guarantee the sender's identity and data integrity

What is a disadvantage of using a mix of public and private key-pairs with JWTs?

It adds complexity

What happens when a user makes a request to the server with a JWT?

The server verifies the JWT signature and gets user information from the JWT

What is the purpose of using the Bearer schema when sending a JWT to the server?

To specify the authorization method

What is the advantage of JWTs when it comes to mobile devices?

They are smaller and easier to process

What is a characteristic of private claims in JWTs?

They are used between parties that have agreed to use them

What happens if the server determines that a JWT is invalid?

The browser will receive an error message

Why should sensitive information not be stored client-side, even if it is encoded?

Because it's vulnerable to attacks

What is the benefit of using JWTs for authorization?

They are often used for Single Sign-On

Study Notes

JSON Web Tokens (JWTs)

• JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
• JWTs are digitally signed using a secret or a public/private key pair.

Components of a JWT

• A JWT is made up of three components: Header, Payload, and Signature.

JWT Header

• The JWT header contains the type of the token and the signing algorithm that will be used.
• The type of the token is always "JWT".
• The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.

JWT Payload

• The JWT payload contains claims about an entity.
• There are three types of claims: Registered Claims, Public Claims, and Private Claims.
• Registered Claims are predefined claim types that anyone can use in a JWT.
• Public Claims are custom claim types that are created by a developer and can be used publicly.
• Private Claims are custom claim types that are not registered or public.

JWT Signature

• The JWT signature is used to verify that the JWT wasn't tampered with or changed.
• The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.

Using a JWT

• A JWT is properly stored in a secure location, such as a HTTP-only cookie.
• The user logs in to a website, and their information is sent to the server.
• The server creates a JWT with a secret and returns it to the browser.
• The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.

Advantages of JWTs

• JWTs are used for authorization and information exchange.
• They are small, scale well, and are easier for mobile devices to process.
• Parsing JSON is easier than some alternatives like XML or SAML.

Disadvantages of JWTs

• A mix of a public and private key-pair adds security, but can also add complexity.
• Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.

JSON Web Tokens (JWTs)

• JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
• JWTs are digitally signed using a secret or a public/private key pair.

Components of a JWT

• A JWT is made up of three components: Header, Payload, and Signature.

JWT Header

• The JWT header contains the type of the token and the signing algorithm that will be used.
• The type of the token is always "JWT".
• The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.

JWT Payload

• The JWT payload contains claims about an entity.
• There are three types of claims: Registered Claims, Public Claims, and Private Claims.
• Registered Claims are predefined claim types that anyone can use in a JWT.
• Public Claims are custom claim types that are created by a developer and can be used publicly.
• Private Claims are custom claim types that are not registered or public.

JWT Signature

• The JWT signature is used to verify that the JWT wasn't tampered with or changed.
• The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.

Using a JWT

• A JWT is properly stored in a secure location, such as a HTTP-only cookie.
• The user logs in to a website, and their information is sent to the server.
• The server creates a JWT with a secret and returns it to the browser.
• The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.

Advantages of JWTs

• JWTs are used for authorization and information exchange.
• They are small, scale well, and are easier for mobile devices to process.
• Parsing JSON is easier than some alternatives like XML or SAML.

Disadvantages of JWTs

• A mix of a public and private key-pair adds security, but can also add complexity.
• Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.

Description

Learn about the components of JSON Web Tokens and how they securely transmit information between parties in a web application.