API Authentication

Home API Penetration Testing Course Malware Analysis API Authentication SSDLC IS Auditing, Controls and Assurance Cyber Incident Response Security of the Pipeline Security in the Pipeline Container Security Infrastructure as Code

Introduction
API Authentication - a (very) brief introduction
OAuth Actors
OAuth 2.0 Interaction patterns
Tokens
Scopes and Claims
APIs and Gateways
Final Assessment

Powered by GitBook

On this page

Signed - JWS
Encrypted - JWE
JWTs and Protocols
Example

JSON Web Token

PreviousUsing a DPoP Access Token NextSummary

Last updated 3 months ago

JWT is a format
It can be used for many purposes
- ID Tokens are always JWTs
- Access tokens can be JWTs
- Refresh Tokens are "never" JWTs
Most often signed (JWS)
Can be encrypted (JWE)

Signed - JWS

Proves who issued the token
The prominent way for JWTs
Asymmetric signatures
Always whitelist algorithms allowed
Don't rely on signature verify contents as well
- Audience
- Issuer
- Expiration

Encrypted - JWE

Keeps data confidential
Used in OpenID Connect
ID Tokens
User info responses
Not practical for access tokens
Opaque tokens are preferred to keep confidentiality

JWTs and Protocols

A JWT is not a protocol.

They can be used in different ways depending on protocols

They should not be used against the protocol's intention.

Example

Access tokens are for the API
They are issued to the client
The client should bot decode the access token