1.6.2 JWT Flashcards
What does JWT stand for?
JWT stands for JSON Web Token.
What is the primary purpose of a JWT?
The primary purpose of a JWT is to securely transmit information between parties as a JSON object.
True or False: JWTs can be encrypted.
True.
What are the three main parts of a JWT?
The three main parts of a JWT are the header, the payload, and the signature.
Fill in the blank: The header of a JWT typically consists of two parts: the type of the token, which is ______, and the signing algorithm being used, such as HMAC SHA256 or RSA.
JWT
What information is typically included in the payload of a JWT?
The payload typically includes claims, which are statements about an entity (usually the user) and additional metadata.
What is a claim in the context of JWT?
A claim is a piece of information asserted about a subject, such as user ID or roles.
True or False: The signature of a JWT is used to verify the sender of the JWT.
True.
What is the format of a JWT string?
A JWT string is formatted as three Base64Url-encoded strings separated by dots (.) in the form of header.payload.signature.
What is Base64Url encoding?
Base64Url encoding is a variant of Base64 encoding that replaces ‘+’ with ‘-‘, ‘/’ with ‘_’, and omits padding characters.
What is the purpose of the signature in a JWT?
The signature ensures that the token has not been altered and verifies that it was issued by a trusted source.
What is an example of a claim type in JWT?
Examples of claim types include registered claims (like ‘iat’, ‘exp’) and public claims (like ‘email’).
Fill in the blank: The ‘exp’ claim in a JWT indicates the ______ of the token.
expiration time
What does the ‘iat’ claim represent in a JWT?
‘iat’ stands for ‘issued at’ and indicates the time at which the token was issued.
True or False: JWTs are stateless and do not require server-side storage.
True.
What is the advantage of using JWTs for authentication?
JWTs allow for stateless authentication, scalability, and can be easily used across different domains.
What is a potential security risk associated with JWTs?
A potential security risk is token theft, where an attacker gains access to a valid token and impersonates the user.
How can you mitigate the risk of token theft when using JWTs?
Token theft can be mitigated by using HTTPS, implementing token expiration, and employing refresh tokens.
What is a refresh token?
A refresh token is a special kind of token used to obtain a new access token without requiring the user to reauthenticate.
Fill in the blank: JWTs can be used in ______ authentication flows.
OAuth 2.0
What is the difference between symmetric and asymmetric signing algorithms in JWT?
Symmetric algorithms use the same secret key for signing and verification, while asymmetric algorithms use a public/private key pair.
True or False: JWTs are inherently secure.
False; JWTs need to be used with secure practices to ensure their security.
What is the purpose of the ‘aud’ claim in a JWT?
The ‘aud’ claim identifies the recipients that the JWT is intended for.
What is a common use case for JWTs?
Common use cases for JWTs include user authentication, information exchange, and API security.