Online Courses
API Authentication
Online Courses
API Authentication
  • Introduction
  • API Authentication - a (very) brief introduction
    • The variants of API Authentication
    • Basic Authentication
    • API Keys
    • TLS Authentication
    • Token Based Authentication
    • Token Based Authentication and Authorization
    • OpenID Connect vs OAuth
    • History
    • Summary
    • Quiz
  • OAuth Actors
    • OAuth Actors
    • OAuth 2.0 Autors
    • Authorization vs Delegation
    • Quiz
  • OAuth 2.0 Interaction patterns
    • OAuth Code Flow
    • Client Credentials
    • Summary
    • Quiz
  • Tokens
    • Tokens
    • Formats
      • Bearer
      • PoP Tokens
    • Using an Access Token
    • Using a DPoP Access Token
    • JSON Web Token
    • Summary
    • Quiz
  • Scopes and Claims
    • What are scopes?
    • User Consent
    • Example
    • Claims
    • How to identity data to put in the token
    • Scopes and claim hierarcy
    • Putting it together
    • Summary
    • Quiz
  • APIs and Gateways
    • Why Gateways
    • Adding OAuth
    • Remember formats?
    • All APIs should depend on JWTs
    • Introspection
    • API to API call
    • API Authorization
    • Summary
    • Quiz
  • Final Assessment
Powered by GitBook
On this page
  • Signed - JWS
  • Encrypted - JWE
  • JWTs and Protocols
  • Example
  1. Tokens

JSON Web Token

PreviousUsing a DPoP Access TokenNextSummary

Last updated 9 months ago

  • JWT is a format

  • It can be used for many purposes

    • ID Tokens are always JWTs

    • Access tokens can be JWTs

    • Refresh Tokens are "never" JWTs

  • Most often signed (JWS)

  • Can be encrypted (JWE)

Signed - JWS

  • Proves who issued the token

  • The prominent way for JWTs

  • Asymmetric signatures

  • Always whitelist algorithms allowed

  • Don't rely on signature verify contents as well

    • Audience

    • Issuer

    • Expiration

Encrypted - JWE

  • Keeps data confidential

  • Used in OpenID Connect

  • ID Tokens

  • User info responses

  • Not practical for access tokens

  • Opaque tokens are preferred to keep confidentiality

JWTs and Protocols

A JWT is not a protocol.

They can be used in different ways depending on protocols

They should not be used against the protocol's intention.

Example

  • Access tokens are for the API

  • They are issued to the client

  • The client should bot decode the access token