1.6.2 JWT

Question 1

What does JWT stand for?

Answer 1

JWT stands for JSON Web Token.

Question 2

What is the primary purpose of a JWT?

Answer 2

The primary purpose of a JWT is to securely transmit information between parties as a JSON object.

Question 3

True or False: JWTs can be encrypted.

Answer 3

True.

Question 4

What are the three main parts of a JWT?

Answer 4

The three main parts of a JWT are the header, the payload, and the signature.

Question 5

Fill in the blank: The header of a JWT typically consists of two parts: the type of the token, which is ______, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Answer 5

JWT

Question 6

What information is typically included in the payload of a JWT?

Answer 6

The payload typically includes claims, which are statements about an entity (usually the user) and additional metadata.

Question 7

What is a claim in the context of JWT?

Answer 7

A claim is a piece of information asserted about a subject, such as user ID or roles.

Question 8

True or False: The signature of a JWT is used to verify the sender of the JWT.

Answer 8

True.

Question 9

What is the format of a JWT string?

Answer 9

A JWT string is formatted as three Base64Url-encoded strings separated by dots (.) in the form of header.payload.signature.

Question 10

What is Base64Url encoding?

Answer 10

Base64Url encoding is a variant of Base64 encoding that replaces ‘+’ with ‘-‘, ‘/’ with ‘_’, and omits padding characters.

Question 11

What is the purpose of the signature in a JWT?

Answer 11

The signature ensures that the token has not been altered and verifies that it was issued by a trusted source.

Question 12

What is an example of a claim type in JWT?

Answer 12

Examples of claim types include registered claims (like ‘iat’, ‘exp’) and public claims (like ‘email’).

Question 13

Fill in the blank: The ‘exp’ claim in a JWT indicates the ______ of the token.

Answer 13

expiration time

Question 14

What does the ‘iat’ claim represent in a JWT?

Answer 14

‘iat’ stands for ‘issued at’ and indicates the time at which the token was issued.

Question 15

True or False: JWTs are stateless and do not require server-side storage.

Answer 15

True.

Question 16

What is the advantage of using JWTs for authentication?

Answer 16

JWTs allow for stateless authentication, scalability, and can be easily used across different domains.

Question 17

What is a potential security risk associated with JWTs?

Answer 17

A potential security risk is token theft, where an attacker gains access to a valid token and impersonates the user.

Question 18

How can you mitigate the risk of token theft when using JWTs?

Answer 18

Token theft can be mitigated by using HTTPS, implementing token expiration, and employing refresh tokens.

Question 19

What is a refresh token?

Answer 19

A refresh token is a special kind of token used to obtain a new access token without requiring the user to reauthenticate.

Question 20

Fill in the blank: JWTs can be used in ______ authentication flows.

Answer 20

OAuth 2.0

Question 21

What is the difference between symmetric and asymmetric signing algorithms in JWT?

Answer 21

Symmetric algorithms use the same secret key for signing and verification, while asymmetric algorithms use a public/private key pair.

Question 22

True or False: JWTs are inherently secure.

Answer 22

False; JWTs need to be used with secure practices to ensure their security.

Question 23

What is the purpose of the ‘aud’ claim in a JWT?

Answer 23

The ‘aud’ claim identifies the recipients that the JWT is intended for.

Question 24

What is a common use case for JWTs?

Answer 24

Common use cases for JWTs include user authentication, information exchange, and API security.

Question 25

What role does the 'sub' claim play in a JWT?

Answer 25

The 'sub' claim identifies the principal that is the subject of the JWT, often the user ID.

Question 26

Fill in the blank: JWTs are often used in ______ applications to enable stateless session management.

Answer 26

web

Question 27

What is the significance of token expiration in JWT?

Answer 27

Token expiration is significant as it limits the time frame in which a token can be used, enhancing security.

Question 28

What is the 'nbf' claim in a JWT?

Answer 28

'nbf' stands for 'not before' and indicates the time before which the token must not be accepted for processing.

Question 29

How can JWTs be invalidated before their expiration time?

Answer 29

JWTs can be invalidated by maintaining a blacklist of revoked tokens or using short-lived access tokens with refresh tokens.

Question 30

True or False: JWTs can only be used for user authentication.

Answer 30

False; JWTs can also be used for information exchange and authorization.

Question 31

What does the 'jti' claim represent in a JWT?

Answer 31

'jti' stands for 'JWT ID' and is used to provide a unique identifier for the token.

Question 32

What is the role of middleware in handling JWTs in web applications?

Answer 32

Middleware can be used to intercept requests, validate JWTs, and manage user sessions based on token data.

Question 33

Fill in the blank: The payload of a JWT can contain any ______ data.

Answer 33

JSON

Question 34

What is the impact of using long-lived JWTs?

Answer 34

Using long-lived JWTs increases the risk of token theft and misuse, as they remain valid for extended periods.

Question 35

What is the recommended practice for storing JWTs in client applications?

Answer 35

JWTs should be stored securely, preferably in memory or using secure storage mechanisms like HttpOnly cookies.

Question 36

True or False: JWTs can be used for both authentication and authorization.

Answer 36

True.

Question 37

What is the significance of the 'iss' claim in a JWT?

Answer 37

The 'iss' claim identifies the issuer of the token, which helps in validating the source of the token.