36 Questions
What is the primary purpose of JSON Web Tokens?
To securely transmit information between two parties
What is the purpose of a JWT signature?
To verify that the JWT wasn't tampered with or changed
What is the typical structure of a JSON object?
Enclosed in curly braces and may contain one or more key-value pairs
What is the secret used in creating a JWT signature?
A symmetric key known by the sender and receiver of the token
What is the main component of a JWT header?
Type and signing algorithm
What is the 'typ' field in a JWT header specifying?
The type of token being created
How is the final JWT created?
Concatenating the encoded header, encoded payload, and signature, separating each with a period
What is the purpose of the 'alg' field in a JWT header?
To specify the signing algorithm
What is the risk of storing a JWT in localStorage?
Cross-Site Scripting attacks
Why are JWTs preferred over alternatives like XML or SAML?
They are easier to parse and process
What type of claims can a JWT payload contain?
Registered claims, public claims, and custom claims
What is the purpose of registering public claims?
To avoid collisions with registered claims
What is an advantage of using JWTs?
They are small and scale well
What is the significance of IANA in the context of JWTs?
It coordinates internet protocol resources
What should not be stored client-side, even if it is encoded?
Sensitive information, like passwords or Social Security Numbers
What is the purpose of a private claim?
To be used between parties that have agreed to use them
How is the JWT sent to the server?
In the Authorization header using the Bearer schema
What happens if the JWT is invalid?
The browser will likely receive an error message
What is the main purpose of the 'alg' field in a JWT header?
To specify the signing algorithm
What is the purpose of registering a public claim?
To avoid collisions with other claims
What is a characteristic of a JWT payload?
It contains claims about an entity
What is the significance of the 'typ' field in a JWT header?
It specifies the token type
What is a characteristic of a JSON object?
It is a slightly stricter version of a JavaScript object
What is the purpose of a JWT?
To compactly and securely transmit information between two parties
What is a type of claim that can be contained in a JWT payload?
Registered claims, public claims, and private claims
What is the purpose of digitally signing a JWT?
To ensure the integrity of the token
What is the main reason to avoid storing JWTs in localStorage?
Because it's vulnerable to Cross-Site Scripting attacks
What is the benefit of using JWTs for information exchange?
They guarantee the sender's identity and data integrity
What is a disadvantage of using a mix of public and private key-pairs with JWTs?
It adds complexity
What happens when a user makes a request to the server with a JWT?
The server verifies the JWT signature and gets user information from the JWT
What is the purpose of using the Bearer schema when sending a JWT to the server?
To specify the authorization method
What is the advantage of JWTs when it comes to mobile devices?
They are smaller and easier to process
What is a characteristic of private claims in JWTs?
They are used between parties that have agreed to use them
What happens if the server determines that a JWT is invalid?
The browser will receive an error message
Why should sensitive information not be stored client-side, even if it is encoded?
Because it's vulnerable to attacks
What is the benefit of using JWTs for authorization?
They are often used for Single Sign-On
Study Notes
JSON Web Tokens (JWTs)
- JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
- JWTs are digitally signed using a secret or a public/private key pair.
Components of a JWT
- A JWT is made up of three components: Header, Payload, and Signature.
JWT Header
- The JWT header contains the type of the token and the signing algorithm that will be used.
- The type of the token is always "JWT".
- The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.
JWT Payload
- The JWT payload contains claims about an entity.
- There are three types of claims: Registered Claims, Public Claims, and Private Claims.
- Registered Claims are predefined claim types that anyone can use in a JWT.
- Public Claims are custom claim types that are created by a developer and can be used publicly.
- Private Claims are custom claim types that are not registered or public.
JWT Signature
- The JWT signature is used to verify that the JWT wasn't tampered with or changed.
- The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.
Using a JWT
- A JWT is properly stored in a secure location, such as a HTTP-only cookie.
- The user logs in to a website, and their information is sent to the server.
- The server creates a JWT with a secret and returns it to the browser.
- The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.
Advantages of JWTs
- JWTs are used for authorization and information exchange.
- They are small, scale well, and are easier for mobile devices to process.
- Parsing JSON is easier than some alternatives like XML or SAML.
Disadvantages of JWTs
- A mix of a public and private key-pair adds security, but can also add complexity.
- Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.
JSON Web Tokens (JWTs)
- JSON Web Tokens (JWTs) are self-contained JSON objects that securely transmit information between two parties.
- JWTs are digitally signed using a secret or a public/private key pair.
Components of a JWT
- A JWT is made up of three components: Header, Payload, and Signature.
JWT Header
- The JWT header contains the type of the token and the signing algorithm that will be used.
- The type of the token is always "JWT".
- The signing algorithm might vary, with common algorithms including HMAC-SHA256, RSA with SHA-256, and ECDSA with SHA-256.
JWT Payload
- The JWT payload contains claims about an entity.
- There are three types of claims: Registered Claims, Public Claims, and Private Claims.
- Registered Claims are predefined claim types that anyone can use in a JWT.
- Public Claims are custom claim types that are created by a developer and can be used publicly.
- Private Claims are custom claim types that are not registered or public.
JWT Signature
- The JWT signature is used to verify that the JWT wasn't tampered with or changed.
- The signature is created by taking the encoded header, the encoded payload, a secret, and using the hashing algorithm to create a hash.
Using a JWT
- A JWT is properly stored in a secure location, such as a HTTP-only cookie.
- The user logs in to a website, and their information is sent to the server.
- The server creates a JWT with a secret and returns it to the browser.
- The user makes another request, and the browser sends the JWT back to the server in the Authorization header using the Bearer schema.
Advantages of JWTs
- JWTs are used for authorization and information exchange.
- They are small, scale well, and are easier for mobile devices to process.
- Parsing JSON is easier than some alternatives like XML or SAML.
Disadvantages of JWTs
- A mix of a public and private key-pair adds security, but can also add complexity.
- Sensitive information, like passwords or Social Security Numbers, should not be stored client-side, even if it is encoded.
Learn about the components of JSON Web Tokens and how they securely transmit information between parties in a web application.
Make Your Own Quizzes and Flashcards
Convert your notes into interactive study material.
Get started for free
