A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.
Questions tagged [jwt]
385 questions
0
votes
2 answers
How to implement JWT auto-revocation?
I'm working on an API using Node and Express, with a Mongo database. My users can authenticate using a route, and they get a JWT in exchange.
I want to implement a security mechanism to protect said tokens. Namely, I want the tokens to auto-revoke…
![](../../users/profiles/64058.webp)
Rogue
- 131
- 2
0
votes
1 answer
Can JSON webtokens be used to simplify the OAuth2 protocol without compromising security?
I have used json webtokens to handle authentication for some hobby websites in the past. For my next site I would like to use OAuth2, to allow my site to be used with other services.
It seems that the OAuth2 authorization_code protocol adds some…
![](../../users/profiles/140304.webp)
user3125280
- 103
- 2
0
votes
2 answers
How does JWT Encryption work?
What is the message flow, or sequence that enables JWT encryption of the payload?
(opposed to OAuth / OpenIDConnect which doesn't encrypt the payload)
![](../../users/profiles/396.webp)
makerofthings7
- 50,090
- 54
- 250
- 536
0
votes
1 answer
Is this authentication scheme using JWT secure?
I was wondering if you could review this authentication scheme for web application.
=== Login Page ===
Credentials Verification => Server issues JWT => Stored in a Cookie
JWT contains:
exp: timestamp
uid: UserID
HMAC-SHA512 Signature
Redis…
![](../../users/profiles/117793.webp)
Peter Bielak
- 101
- 2
0
votes
1 answer
Username and Password in JSON
Iimplemented a REST server to enable JWT Authentication with support to TLS (with a certificate self-signed).
When I send the credentials to my REST server with a plugin of firefox (RESTClient) and view HTTP Headers with another plugin (Live HTTP…
![](../../users/profiles/130840.webp)
CipherX
- 190
- 1
- 8
0
votes
1 answer
Is it safe to generate JWTs using private key?
Currently I'm building a Rails API using ruby-jwt as my access token generator. I choose RS256 (RSA + SHA256) as my algorithm.
ruby-jwt uses private key to encode payloads, and uses public key to decode tokens.
My question is, is this approach…
![](../../users/profiles/77778.webp)
Aetherus
- 103
- 3
0
votes
1 answer
How is using an endpoint for public keys secure?
OpenID Connect has discovery endpoints containing a JKWS endpoint to get public keys to validate Identity and Access tokens.
So for example:
I have a desktop application which gets an Identity token from the STS
the application gets the jwks_uri…
![](../../users/profiles/88626.webp)
Kapé
- 103
- 3
0
votes
2 answers
multi tenancy and microservices API authentication/authorization
I'm seeking advice on how we may be able to implement authentication and authorization for multitenancy with slightly different number of scenarios.
We are building a set of API's which of some are internally accessible (within the organization)…
![](../../users/profiles/91795.webp)
Sash
- 101
- 1
- 2
-1
votes
1 answer
AES-CBC then SHA vs AES-GCM for encrypting and authenticating a web token
I am trying to have something like JWT but kinda ad hoc and encrypted. The token itself is simply a stringified JSON that contains the user id and unix timestamp. Now, I tried to use AES-128-GCM, however I did some simple modification in the…
![](../../users/profiles/177492.webp)
pls no
- 113
- 2
- 5
-2
votes
1 answer
Securing a read-only REST service for mobile access
I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have found lots…
![](../../users/profiles/176683.webp)
ponder275
- 99
- 4