Notes
  • Welcome!
  • Windows Shells
    • Introduction
    • Command Prompt
      • Basics
      • Host Enumeration
      • Files & Directories
      • Environment Variables
      • Managing Services
      • Scheduled Tasks
      • Help
    • PowerShell
      • PowerShell vs. CMD
      • Basics
      • CmdLets & Modules
      • User & Group Management
      • Files & Dirs
      • Finding & Filtering
      • Services
      • Registry
      • Windows Event Log
      • Networking Management
      • Web Interaction
      • Scripting
      • Help
  • Windows
    • Commands
    • NTFS
  • APISEC
    • API Testing
      • Recon
      • Endpoint Analysis
      • Finding Security Misconfigurations
      • Authentication Attacks
      • Exploiting API Authorization
        • BOLA
        • BFLA
      • Improper Assets Management
      • Mass Assignment Attacks
      • SSRF
      • Injection Attacks
      • Evasion & Chaining
    • API Authentication
      • Authentication Types
      • OAuth Actors
      • OAuth Interaction Patterns
      • JSON Web Tokens
      • Claims
      • APIs & Gateways
  • PostSwigger
    • Web LLM Attacks
      • Overview
      • Exploiting LLM APIs, function, & Plugins
      • Indirect Prompt Injection
      • Leaking Sensitive Data
      • Defending Against LLM Attacks
    • JWT Attacks
      • JWTs
      • Attacks
        • Flawed Signature Verfication
        • Brute-forcing Secret Keys
        • JWT Header Parameter Injections
        • Algorithm Confusion
      • Prevention
    • OAuth
      • General Information
      • Exploiting OAuth Authentication Flaws
        • Flaws in Client Application
        • Flaws in the OAuth Service
      • OpenID
  • Red Teaming LLM Applications
    • LLM Vulnerabilities
    • Red Teaming LLMs
    • Red Teaming at Scale
    • Red Teaming LLMs with LLMs
    • Red Teaming Assessment
  • Fin
    • Course 1: Basics
      • Stocks
        • General Information
        • Shares
        • Stock Basics
      • Bonds
        • General Information
        • Components
        • Valuation
      • Markets
        • What is the Stock Market
        • What is the FED
    • Course 2: Stock Investing
  • Other
    • Learning Resources
Powered by GitBook
On this page
  1. APISEC
  2. API Authentication

JSON Web Tokens

PreviousOAuth Interaction PatternsNextClaims

Last updated 11 months ago

Feature
Description
Details

Format

How is it encoded

  1. By value (contains all the details within it, can be validated by the receiver without calling the AS, can be encrypted/signed, e.g. JWTs, SAML, CWTs, etc.)

  2. By reference (random string that acts as a reference to a db entry; only the AS can read it)

Purpose

Who is it for

  1. Access token -> Resource Server

  2. Refresh token -> Authorization Server

  3. ID Token (OpenID Connect) -> Client

Type

How can it be used

  1. Bearer (coin analogy -> if you find one, you don't need to prove that it is yours, you can use it as is)

  2. Proof of Possession (PoP)/Holder of Key (HoK) (credit card analogy -> you need proof of ownership to use them. They are sender-constrained tokens, i.e., bound to a single user)

JSON Web Tokens

  • JWT is a format

  • Can be used for many purposes

    • ID Tokens are always JWTs

    • Access tokens can be JWTs

    • Refresh tokens are (almost) never JWTs

  • Most often are signed (JWS)

  • Can be encrypted (JWE)