Bearer Authorization

Intro to JWT

What is a JSON Web Token (JWT)? JSON Web Token (JWT) is a way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

When should we use JSON Web Tokens? Authorization: Once a user is logged in, each subsequent request will include the JWT.

Information Exchange: Because JWTs can be signed one can be sure the senders are who they say they are. Because the signature is calculated using the header and the payload, one can also verify that the content hasn’t been tampered with.

Claims are expected in which structural component of a JWT? Claims should be expected in the payload.

Are JWTs Secure?

If I get a JWT and I can decode the payload, how can we call that secure?

If something happens to the payload, i.e. it’s tampered with, then it will be apparent because the payload will reflect that new content.

If sending a JWT, what must sender and receiver both know? Hint, it’s appended in the signature. The secret would have to be known by both parties

Explain how concatenated content and secret can be sent and received securely to a non-technical recruiter.

JWTs Explained

Why use JWT? JWT is a secure way to transmit information. Anyone can use it to transfer information.

JWT is Compact and self-contained. Describe how this is useful to a non-technical friend. It is compact, meaning that it is a small file size, and the informaiton can be contained in the header.

It is self contained: the token itself has the information in it.

What are the three components (the structure) of a JWT signature?

1. Header: JSON object with two fields (algorithm, type of web token)
2. Payload: JSON object with the details, and metadata.
3. Signature: Most important part. Ensures that the data won’t change during transfer, and the secret which will reveal if the payload has been tampered with.