JWT Interview Questions

What is JWT (JSON Web Tokens)?

JWT is an authorization strategy to communicate securely as per the open industry standard RFC 7519.

JWT are value tokens containing encoded JSON objects. JWTs are signed using a cryptographic algorithm to ensure that the modifications are not made after the token is issued.

When JWT is used, the server does not have to remember information for each client, like in the case of session tokens.

What is the structure of JWT?

A JWT token has three parts: the header, the payload and the signature. All are base64 encoded.

How and when does the server create the token?

Once the authentication is successful, the server creates the JWT token. First, the server does Base64 encoding of the header and payload. Then the server computes a signature corresponding to the payload using the algorithm specified in the header. The payload is signed with a private key. Then the server sends the token back.

How does the server authorize using JWT?

The client keeps the token in local storage or a cookie. The token is then passed in the HTTP header whenever a subsequent request is made. The server breaks up the token into three parts and then verifies if the signature matches with the one it created. If these match, it is accepted.

How can we ensure that a JWT token is not misused?

As the JWT contents are readable, we should not keep any confidential or sensitive information in the JWT token. Also, JWT should always be used over HTTPS.

Using JWT in association with OAuth for authentication and authorization is highly recommended as it prevents theft of JWT.

If a JWT token is stolen, it can be blacklisted so that the server does not use it afterwards.

References

For more information on JWT, refer https://jwt.io/introduction

Leave a Reply

Your email address will not be published. Required fields are marked *