Questions tagged [jwt]
A JSON Web Token (JWT) is a signed token provided by a server to a client which can be used to validate certain claims, e.g. identity, that can be used for a third party, e.g. a service provider.
450 questions
3votes
1answer
139views
JWT: why is Issuer important?
I know JWT: Why is Audience is important (in fact I give a demonstration in that question). However, I fail to understand why validating Issuer is the standard and can't think of any good scenario ...
- 171
1vote
1answer
96views
Passwordless authentication with email OTP
I want to implement a passwordless authentication flow with a code sent by email but I can't find a clear best practice on how to securely implement it on the server side. On the client side, the flow ...
0votes
2answers
94views
Hashed email addresses in database and plain text emails in JWT
I was just wondering what the downsides of the following approach would be: The email address I store is hashed (with a pepper that is db wide). This should (in my theory) better protect users in case ...
- 103
2votes
2answers
103views
JWT Token Claim Validation after it has been granted
Scenario: A user logs-in to a web application and receives a JWT Token. The Token Service looks up user roles and adds them to the JWT Claims and all necessary signatures to the token. When the ...
- 123
3votes
1answer
642views
JWT-bearer grant with JWT assertion vs. client credentials grant with JWT client assertion?
Can anyone please shed some light on the difference between the following two OAuth grant type scenarios? JWT grant with JWT assertion grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer assertion=...
- 143
4votes
1answer
258views
OAuth 2.0: Is it possible to replace PKCE with DPoP-like proof-of-possession?
So I'm currently learning about Demonstrating Proof-of-Possession (DPoP) in Oauth after previously learnt about Proof Key for Code Exchange (PKCE). one interesting idea i've been thinking is, is it ...
1vote
1answer
61views
Oauth2 client credentials grant: does authorization server always have to return an opaque access token?
In oauth2 client credentials grant, does the authorization server always return an opaque access token? Or could this also be a signed JWT which the client can then use with an API without requiring ...
- 75
0votes
0answers
90views
Possible to use Frida to capture secret for jwt signature?
I have used frida to bypass certificate pinning of an app and was able to capture http traffic. But I notice that the authorization bearer uses JWT with a signature (over a timetamp). So I was ...
1vote
2answers
234views
Doesn't JWT authentication need cookies?
I am a bit confused. Every tutorial I found for JWT authentication method mentions that the token produced shouldn't be valid for more that 5 minutes. Thats why the method should cowork with cookies (...
- 33
4votes
1answer
225views
What are the downsides of matching by email in SSO logins (e.g. Google, Facebook, Apple, Microsoft)?
Context I've read somewhere that one should not match by email (e.g. the email given by the Google JWT token) when using SSO (e.g. OpenID Connect) but it's not clear to me why. The recommended ...
- 183
1vote
1answer
356views
Why is JWT claim x5t (thumbprint) useful?
If I sign JWT (as per JWS spec) with a private key, the receiver of JWT will want to validate the signature and they need public key to do that. The public key can be "baked" into the app ...
- 111
0votes
1answer
103views
Is it safe to pass Google ID tokens to third-party services for user authentication?
I'm working on an app called AwesomeApp that uses Google Sign-In for user authentication. When users sign in, the app receives a Google ID token. We are integrating with a third-party service, ...
- 101
1vote
1answer
104views
Risks in using JWKS URL over OIDC discovery endpont?
Background Hashicorp Vault provides an auth method to enable Kubernetes Pods to authenticate to Vault by configuring integration between a Kubernetes cluster and Vault. Question The docs recommend ...
- 45
2votes
1answer
502views
How does JWE secure the Content Encryption Key
I apologise in advance if this is a dumb question. But this seems like one of those straight forward things that are so straight forward that its not even mentioned and I am not getting it. Perhaps I ...
- 123
1vote
0answers
25views
Is it ok to use NativePRNGNonBlocking SecureRandom for making jwt? [duplicate]
I'm developing jwt auth feature with Spring WebFlux. And, I found the blocking calls in jjwt library by using BlockHound. The reason of blocking calls was SecureRandom use /dev/random to make random ...
- 11
