1.6.2 JWT Flashcards

1
Q

What does JWT stand for?

A

JWT stands for JSON Web Token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the primary purpose of a JWT?

A

The primary purpose of a JWT is to securely transmit information between parties as a JSON object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

True or False: JWTs can be encrypted.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the three main parts of a JWT?

A

The three main parts of a JWT are the header, the payload, and the signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Fill in the blank: The header of a JWT typically consists of two parts: the type of the token, which is ______, and the signing algorithm being used, such as HMAC SHA256 or RSA.

A

JWT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What information is typically included in the payload of a JWT?

A

The payload typically includes claims, which are statements about an entity (usually the user) and additional metadata.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is a claim in the context of JWT?

A

A claim is a piece of information asserted about a subject, such as user ID or roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

True or False: The signature of a JWT is used to verify the sender of the JWT.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the format of a JWT string?

A

A JWT string is formatted as three Base64Url-encoded strings separated by dots (.) in the form of header.payload.signature.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Base64Url encoding?

A

Base64Url encoding is a variant of Base64 encoding that replaces ‘+’ with ‘-‘, ‘/’ with ‘_’, and omits padding characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is the purpose of the signature in a JWT?

A

The signature ensures that the token has not been altered and verifies that it was issued by a trusted source.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an example of a claim type in JWT?

A

Examples of claim types include registered claims (like ‘iat’, ‘exp’) and public claims (like ‘email’).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fill in the blank: The ‘exp’ claim in a JWT indicates the ______ of the token.

A

expiration time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the ‘iat’ claim represent in a JWT?

A

‘iat’ stands for ‘issued at’ and indicates the time at which the token was issued.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

True or False: JWTs are stateless and do not require server-side storage.

A

True.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the advantage of using JWTs for authentication?

A

JWTs allow for stateless authentication, scalability, and can be easily used across different domains.

17
Q

What is a potential security risk associated with JWTs?

A

A potential security risk is token theft, where an attacker gains access to a valid token and impersonates the user.

18
Q

How can you mitigate the risk of token theft when using JWTs?

A

Token theft can be mitigated by using HTTPS, implementing token expiration, and employing refresh tokens.

19
Q

What is a refresh token?

A

A refresh token is a special kind of token used to obtain a new access token without requiring the user to reauthenticate.

20
Q

Fill in the blank: JWTs can be used in ______ authentication flows.

21
Q

What is the difference between symmetric and asymmetric signing algorithms in JWT?

A

Symmetric algorithms use the same secret key for signing and verification, while asymmetric algorithms use a public/private key pair.

22
Q

True or False: JWTs are inherently secure.

A

False; JWTs need to be used with secure practices to ensure their security.

23
Q

What is the purpose of the ‘aud’ claim in a JWT?

A

The ‘aud’ claim identifies the recipients that the JWT is intended for.

24
Q

What is a common use case for JWTs?

A

Common use cases for JWTs include user authentication, information exchange, and API security.

25
Q

What role does the ‘sub’ claim play in a JWT?

A

The ‘sub’ claim identifies the principal that is the subject of the JWT, often the user ID.

26
Q

Fill in the blank: JWTs are often used in ______ applications to enable stateless session management.

27
Q

What is the significance of token expiration in JWT?

A

Token expiration is significant as it limits the time frame in which a token can be used, enhancing security.

28
Q

What is the ‘nbf’ claim in a JWT?

A

‘nbf’ stands for ‘not before’ and indicates the time before which the token must not be accepted for processing.

29
Q

How can JWTs be invalidated before their expiration time?

A

JWTs can be invalidated by maintaining a blacklist of revoked tokens or using short-lived access tokens with refresh tokens.

30
Q

True or False: JWTs can only be used for user authentication.

A

False; JWTs can also be used for information exchange and authorization.

31
Q

What does the ‘jti’ claim represent in a JWT?

A

‘jti’ stands for ‘JWT ID’ and is used to provide a unique identifier for the token.

32
Q

What is the role of middleware in handling JWTs in web applications?

A

Middleware can be used to intercept requests, validate JWTs, and manage user sessions based on token data.

33
Q

Fill in the blank: The payload of a JWT can contain any ______ data.

34
Q

What is the impact of using long-lived JWTs?

A

Using long-lived JWTs increases the risk of token theft and misuse, as they remain valid for extended periods.

35
Q

What is the recommended practice for storing JWTs in client applications?

A

JWTs should be stored securely, preferably in memory or using secure storage mechanisms like HttpOnly cookies.

36
Q

True or False: JWTs can be used for both authentication and authorization.

37
Q

What is the significance of the ‘iss’ claim in a JWT?

A

The ‘iss’ claim identifies the issuer of the token, which helps in validating the source of the token.