Understanding JSON Web Tokens (JWTs) in Web Applications

Questions and Answers

What is the primary purpose of JSON Web Tokens?

• To coordinate internet protocol resources
• To create custom JavaScript objects
• To compress JSON objects for faster transmission
• To securely transmit information between two parties (correct)

What is the purpose of a JWT signature?

• To create a custom claim type
• To verify that the JWT wasn't tampered with or changed (correct)
• To verify the user's identity
• To store sensitive information

What is the typical structure of a JSON object?

• Enclosed in parentheses and may contain one or more key-value pairs
• Enclosed in curly braces and may contain one or more key-value pairs (correct)
• Enclosed in angle brackets and may contain one or more key-value pairs
• Enclosed in square brackets and may contain one or more key-value pairs

What is the secret used in creating a JWT signature?

A symmetric key known by the sender and receiver of the token (B)

What is the main component of a JWT header?

Type and signing algorithm (B)

What is the 'typ' field in a JWT header specifying?

The type of token being created (A)

How is the final JWT created?

Concatenating the encoded header, encoded payload, and signature, separating each with a period (D)

What is the purpose of the 'alg' field in a JWT header?

To specify the signing algorithm (B)

What is the risk of storing a JWT in localStorage?

Cross-Site Scripting attacks (A)

Why are JWTs preferred over alternatives like XML or SAML?

They are easier to parse and process (B)

What type of claims can a JWT payload contain?

Registered claims, public claims, and custom claims (D)

What is the purpose of registering public claims?

To avoid collisions with registered claims (C)

What is an advantage of using JWTs?

They are small and scale well (D)

What is the significance of IANA in the context of JWTs?

It coordinates internet protocol resources (A)

What should not be stored client-side, even if it is encoded?

Sensitive information, like passwords or Social Security Numbers (D)

What is the purpose of a private claim?

To be used between parties that have agreed to use them (D)

How is the JWT sent to the server?

In the Authorization header using the Bearer schema (B)

What happens if the JWT is invalid?

The browser will likely receive an error message (B)

What is the main purpose of the 'alg' field in a JWT header?

To specify the signing algorithm (B)

What is the purpose of registering a public claim?

To avoid collisions with other claims (B)

What is a characteristic of a JWT payload?

It contains claims about an entity (D)

What is the significance of the 'typ' field in a JWT header?

It specifies the token type (D)

What is a characteristic of a JSON object?

It is a slightly stricter version of a JavaScript object (D)

What is the purpose of a JWT?

To compactly and securely transmit information between two parties (C)

What is a type of claim that can be contained in a JWT payload?

Registered claims, public claims, and private claims (C)

What is the purpose of digitally signing a JWT?

To ensure the integrity of the token (D)

What is the main reason to avoid storing JWTs in localStorage?

Because it's vulnerable to Cross-Site Scripting attacks (A)

What is the benefit of using JWTs for information exchange?

They guarantee the sender's identity and data integrity (A)

What is a disadvantage of using a mix of public and private key-pairs with JWTs?

It adds complexity (C)

What happens when a user makes a request to the server with a JWT?

The server verifies the JWT signature and gets user information from the JWT (D)

What is the purpose of using the Bearer schema when sending a JWT to the server?

To specify the authorization method (D)

What is the advantage of JWTs when it comes to mobile devices?

They are smaller and easier to process (B)

What is a characteristic of private claims in JWTs?

They are used between parties that have agreed to use them (C)

What happens if the server determines that a JWT is invalid?

The browser will receive an error message (A)

Why should sensitive information not be stored client-side, even if it is encoded?

Because it's vulnerable to attacks (C)

What is the benefit of using JWTs for authorization?

They are often used for Single Sign-On (D)

Flashcards are hidden until you start studying

Study Notes

JSON Web Tokens (JWTs)

• JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
• JWTs are digitally signed using a secret or a public/private key pair.

Components of a JWT

• A JWT is made up of three components: Header, Payload, and Signature.

JWT Header

• The JWT header contains the type of the token and the signing algorithm that will be used.
• The type of the token is always "JWT".
• The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.

JWT Payload

• The JWT payload contains claims about an entity.
• There are three types of claims: Registered Claims, Public Claims, and Private Claims.
• Registered Claims are predefined claim types that anyone can use in a JWT.
• Public Claims are custom claim types that are created by a developer and can be used publicly.
• Private Claims are custom claim types that are not registered or public.

JWT Signature

• The JWT signature is used to verify that the JWT wasn't tampered with or changed.
• The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.

Using a JWT

• A JWT is properly stored in a secure location, such as a HTTP-only cookie.
• The user logs in to a website, and their information is sent to the server.
• The server creates a JWT with a secret and returns it to the browser.
• The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.

Advantages of JWTs

• JWTs are used for authorization and information exchange.
• They are small, scale well, and are easier for mobile devices to process.
• Parsing JSON is easier than some alternatives like XML or SAML.

Disadvantages of JWTs

• A mix of a public and private key-pair adds security, but can also add complexity.
• Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.

JSON Web Tokens (JWTs)

• JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
• JWTs are digitally signed using a secret or a public/private key pair.

Components of a JWT

• A JWT is made up of three components: Header, Payload, and Signature.

JWT Header

• The JWT header contains the type of the token and the signing algorithm that will be used.
• The type of the token is always "JWT".
• The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.

JWT Payload

• The JWT payload contains claims about an entity.
• There are three types of claims: Registered Claims, Public Claims, and Private Claims.
• Registered Claims are predefined claim types that anyone can use in a JWT.
• Public Claims are custom claim types that are created by a developer and can be used publicly.
• Private Claims are custom claim types that are not registered or public.

JWT Signature

• The JWT signature is used to verify that the JWT wasn't tampered with or changed.
• The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.

Using a JWT

• A JWT is properly stored in a secure location, such as a HTTP-only cookie.
• The user logs in to a website, and their information is sent to the server.
• The server creates a JWT with a secret and returns it to the browser.
• The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.

Advantages of JWTs

• JWTs are used for authorization and information exchange.
• They are small, scale well, and are easier for mobile devices to process.
• Parsing JSON is easier than some alternatives like XML or SAML.

Disadvantages of JWTs

• A mix of a public and private key-pair adds security, but can also add complexity.
• Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.