1.6.2 JWT Flashcards
What does JWT stand for?
JWT stands for JSON Web Token.
What is the primary purpose of a JWT?
The primary purpose of a JWT is to securely transmit information between parties as a JSON object.
True or False: JWTs can be encrypted.
True.
What are the three main parts of a JWT?
The three main parts of a JWT are the header, the payload, and the signature.
Fill in the blank: The header of a JWT typically consists of two parts: the type of the token, which is ______, and the signing algorithm being used, such as HMAC SHA256 or RSA.
JWT
What information is typically included in the payload of a JWT?
The payload typically includes claims, which are statements about an entity (usually the user) and additional metadata.
What is a claim in the context of JWT?
A claim is a piece of information asserted about a subject, such as user ID or roles.
True or False: The signature of a JWT is used to verify the sender of the JWT.
True.
What is the format of a JWT string?
A JWT string is formatted as three Base64Url-encoded strings separated by dots (.) in the form of header.payload.signature.
What is Base64Url encoding?
Base64Url encoding is a variant of Base64 encoding that replaces ‘+’ with ‘-‘, ‘/’ with ‘_’, and omits padding characters.
What is the purpose of the signature in a JWT?
The signature ensures that the token has not been altered and verifies that it was issued by a trusted source.
What is an example of a claim type in JWT?
Examples of claim types include registered claims (like ‘iat’, ‘exp’) and public claims (like ‘email’).
Fill in the blank: The ‘exp’ claim in a JWT indicates the ______ of the token.
expiration time
What does the ‘iat’ claim represent in a JWT?
‘iat’ stands for ‘issued at’ and indicates the time at which the token was issued.
True or False: JWTs are stateless and do not require server-side storage.
True.
What is the advantage of using JWTs for authentication?
JWTs allow for stateless authentication, scalability, and can be easily used across different domains.
What is a potential security risk associated with JWTs?
A potential security risk is token theft, where an attacker gains access to a valid token and impersonates the user.
How can you mitigate the risk of token theft when using JWTs?
Token theft can be mitigated by using HTTPS, implementing token expiration, and employing refresh tokens.
What is a refresh token?
A refresh token is a special kind of token used to obtain a new access token without requiring the user to reauthenticate.
Fill in the blank: JWTs can be used in ______ authentication flows.
OAuth 2.0
What is the difference between symmetric and asymmetric signing algorithms in JWT?
Symmetric algorithms use the same secret key for signing and verification, while asymmetric algorithms use a public/private key pair.
True or False: JWTs are inherently secure.
False; JWTs need to be used with secure practices to ensure their security.
What is the purpose of the ‘aud’ claim in a JWT?
The ‘aud’ claim identifies the recipients that the JWT is intended for.
What is a common use case for JWTs?
Common use cases for JWTs include user authentication, information exchange, and API security.
What role does the ‘sub’ claim play in a JWT?
The ‘sub’ claim identifies the principal that is the subject of the JWT, often the user ID.
Fill in the blank: JWTs are often used in ______ applications to enable stateless session management.
web
What is the significance of token expiration in JWT?
Token expiration is significant as it limits the time frame in which a token can be used, enhancing security.
What is the ‘nbf’ claim in a JWT?
‘nbf’ stands for ‘not before’ and indicates the time before which the token must not be accepted for processing.
How can JWTs be invalidated before their expiration time?
JWTs can be invalidated by maintaining a blacklist of revoked tokens or using short-lived access tokens with refresh tokens.
True or False: JWTs can only be used for user authentication.
False; JWTs can also be used for information exchange and authorization.
What does the ‘jti’ claim represent in a JWT?
‘jti’ stands for ‘JWT ID’ and is used to provide a unique identifier for the token.
What is the role of middleware in handling JWTs in web applications?
Middleware can be used to intercept requests, validate JWTs, and manage user sessions based on token data.
Fill in the blank: The payload of a JWT can contain any ______ data.
JSON
What is the impact of using long-lived JWTs?
Using long-lived JWTs increases the risk of token theft and misuse, as they remain valid for extended periods.
What is the recommended practice for storing JWTs in client applications?
JWTs should be stored securely, preferably in memory or using secure storage mechanisms like HttpOnly cookies.
True or False: JWTs can be used for both authentication and authorization.
True.
What is the significance of the ‘iss’ claim in a JWT?
The ‘iss’ claim identifies the issuer of the token, which helps in validating the source of the token.