Highest Voted 'jwt' Questions - Software Engineering Stack Exchange

34

votes

3 answers

JSON Web Token - why is the payload public?

I can't understand the reasoning for making the claims/payload of a JWT publicly visible after base64 decoding it. Why? It seems like it'd be much more useful to have it encrypted with the secret. Can someone explain why, or in what situation,…

asked Apr 27 '15 at 04:44

ineedhelp

451
1
4
5

23

votes

3 answers

Is it bad practice to store a user's email address in a JWT?

I'm using JWTs for user auth in a web application. I have a user db where each user's unique ID is their email address. To identify the subject of the JWT, I currently have a claim which stores the user's email address in the token. Does that…

authentication authorization jwt

asked Sep 07 '17 at 04:12

Justin Borromeo

401
1
4
6

20

votes

1 answer

Difference between 'aud' and 'iss' in jwt

I want to implement a more robust authentication service and jwt is a big part of what I want to do, and I understand how to write the code, but I'm having a little trouble understanding the difference between the reserved iss and aud claims. I…

security authentication authorization jwt

asked Sep 05 '17 at 01:20

Adam McGurk

381
1
2
9

14

votes

1 answer

Should microservices be users?

We are trying to determine the best way to authorise users in a microservice architecture, while ensuring microservices have limited permissions. Our architecture uses a central authorisation service to handle issuing of JWT tokens. We have the…

security microservices jwt

asked Oct 28 '17 at 09:35

awr

259
1
3

12

votes

3 answers

Should access permissions and roles be included in payload of JWT?

Should information about the permissions and roles of the client be included in JWT? Having such information in JWT token will be very helpful as everytime a valid token comes, it would be easier to extract the information about the permission…

security authentication jwt

asked Jun 25 '18 at 07:50

Anshul Sahni

365
2
4
12

12

votes

2 answers

cookie vs. session vs jwt

I am reading up on authentication/authorization in web applications. Could anybody confirm/correct my current knowledge? Cookies: in their early version, a text file with a unique client Id an all the other information needed about the client (e.…

authentication authorization session cookies jwt

asked Sep 03 '17 at 07:07

user3629892

231
1
2
5

10

votes

3 answers

API key vs JWT - which authentication to use and when

I have read multiple pages/blog posts on API key vs JWT and still I'm confused when to use one of them. Most recent one are saying that JWT became a standard for API authentication but then it became confusing for me in few cases described…

api jwt

asked Dec 01 '20 at 04:04

JackTheKnife

329
2
3
9

7

votes

3 answers

Is caching Access Tokens on the back end of a Web Application a good idea? (access_token storage best practices)

Let's suppose we have a Web Application that uses an Open Id Connect service provider, the Web Application uses the Authorization Code flow to get access to a different API, and therefore gets an access_token and an id_token at the end of the…

architecture caching oauth2 jwt openid

asked Jun 05 '19 at 08:30

Hamza

89
2
6

6

votes

1 answer

Client generated JWT

I'm working with a 3rd party company who are providing an API along with an unusual security approach. The security approach is essentially using a JWT by itself (no oauth). What's odd is that they're expecting us (the client) to create the token…

oauth jwt openid

asked Mar 20 '19 at 19:31

fml

517
4
15

6

votes

2 answers

Should we store JWTs in database?

While creating/assigning the JWTs to users, should we also store them in our databases? The negatives/cons of storing tokens in database would be, that all the data in the payload of the JWT token is already stored in the database, hence storing the…

security jwt

asked Jun 25 '18 at 13:19

Anshul Sahni

365
2
4
12

6

votes

3 answers

How do you handle JWT expiration for long running calls?

Currently we are debating over securing our multiple micro-services. The major concern is that the JWT token provided to us will expire before the call is finished. (This is in the synchronous design) Here are three proposals: Client App has an…

web-development security web-services authentication jwt

asked Feb 19 '18 at 03:32

Joe Kennedy

69
2

5

votes

3 answers

When to derive user ID from authentication token vs. validate against?

I am using JSON web tokens, but this authentication token can be any token from which a unique user can be derived. I am designing a REST API that allows CRUD operations on resources owned by specific users in our domain. This ownership is…

rest authentication crud jwt

asked Sep 07 '20 at 08:34

Mario Ishac

394
2
12

5

votes

2 answers

Should ID be given in URL if already secured with JWT containing ID?

Say I have the endpoints: /users and /users/ If I wanted to DELETE a user authenticated with a JWT token that contains the user object, should this DELETE handled go under /users or /users/? It makes sense to have under the /users/…

rest resources url jwt

asked Dec 08 '17 at 16:40

tomhepz

331
1
6

4

votes

1 answer

How to authorize and store user login from a xamarin frontend to a asp.net core api

So I suppose this question isn't as much as a 'How to' but a 'which way' kind of question. So I have a .net core api backend that makes calls to a dB I also have a xamarin forms project that connects to the API and gets and posts all info. However…

c# asp.net-mvc-web-api jwt xamarin

asked May 31 '20 at 19:32

dros

167
3

4

votes

1 answer

Why is it fine to use a user's ID in their JWT, as opposed to their email/username?

I'm wondering whether it is bad practice to keep a user's ID in a JWT. I'm planning on using the email in the sub, since it's already available to them, and I can use it to identify them, all the same. I can let the DB index it so it's easier to…

security authentication jwt

asked Jan 30 '20 at 06:21

yaserso

189
1
6

Questions tagged [jwt]