Highest Voted 'jwt' Questions - IT Security Stack Exchange

0

votes

2 answers

How to implement JWT auto-revocation?

I'm working on an API using Node and Express, with a Mongo database. My users can authenticate using a route, and they get a JWT in exchange. I want to implement a security mechanism to protect said tokens. Namely, I want the tokens to auto-revoke…

api jwt

asked Mar 02 '17 at 12:15

Rogue

131
2

0

votes

1 answer

Can JSON webtokens be used to simplify the OAuth2 protocol without compromising security?

I have used json webtokens to handle authentication for some hobby websites in the past. For my next site I would like to use OAuth2, to allow my site to be used with other services. It seems that the OAuth2 authorization_code protocol adds some…

jwt oauth2

asked Feb 24 '17 at 08:46

user3125280

103
2

0

votes

2 answers

How does JWT Encryption work?

What is the message flow, or sequence that enables JWT encryption of the payload? (opposed to OAuth / OpenIDConnect which doesn't encrypt the payload)

encryption authentication jwt

asked Feb 02 '17 at 05:00

makerofthings7

50,090
54
250
536

0

votes

1 answer

Is this authentication scheme using JWT secure?

I was wondering if you could review this authentication scheme for web application. === Login Page === Credentials Verification => Server issues JWT => Stored in a Cookie JWT contains: exp: timestamp uid: UserID HMAC-SHA512 Signature Redis…

authentication session-management token jwt

asked Jan 30 '17 at 15:18

Peter Bielak

101
2

0

votes

1 answer

Username and Password in JSON

Iimplemented a REST server to enable JWT Authentication with support to TLS (with a certificate self-signed). When I send the credentials to my REST server with a plugin of firefox (RESTClient) and view HTTP Headers with another plugin (Live HTTP…

tls json jwt

asked Nov 22 '16 at 10:07

CipherX

190
1
8

0

votes

1 answer

Is it safe to generate JWTs using private key?

Currently I'm building a Rails API using ruby-jwt as my access token generator. I choose RS256 (RSA + SHA256) as my algorithm. ruby-jwt uses private key to encode payloads, and uses public key to decode tokens. My question is, is this approach…

rsa jwt

asked Jun 12 '16 at 08:04

Aetherus

103
3

0

votes

1 answer

How is using an endpoint for public keys secure?

OpenID Connect has discovery endpoints containing a JKWS endpoint to get public keys to validate Identity and Access tokens. So for example: I have a desktop application which gets an Identity token from the STS the application gets the jwks_uri…

man-in-the-middle jwt openid-connect

asked Jun 03 '16 at 16:03

Kapé

103
3

0

votes

2 answers

multi tenancy and microservices API authentication/authorization

I'm seeking advice on how we may be able to implement authentication and authorization for multitenancy with slightly different number of scenarios. We are building a set of API's which of some are internally accessible (within the organization)…

authentication oauth authorization openid jwt

asked Nov 12 '15 at 20:30

Sash

101
1
2

-1

votes

1 answer

AES-CBC then SHA vs AES-GCM for encrypting and authenticating a web token

I am trying to have something like JWT but kinda ad hoc and encrypted. The token itself is simply a stringified JSON that contains the user id and unix timestamp. Now, I tried to use AES-128-GCM, however I did some simple modification in the…

encryption cryptography aes jwt json

asked May 10 '18 at 04:10

pls no

113
2
5

-2

votes

1 answer

Securing a read-only REST service for mobile access

I am writing a mobile app that uses a read only REST service that sits behind our company firewall. The actual data supplied by the REST service is not private but I am concerned with a hacker using it to get behind the firewall. I have found lots…

firewalls rest jwt mobile-app

asked Jul 06 '20 at 16:06

ponder275

99
4

Questions tagged [jwt]