Discover and read the best of Twitter Threads about #JWT

Most recents (10)

What is JSON Web Token, and how it works for API authentication? ๐Ÿ‘‡
A JSON-based open standard called JSON Web Token (JWT) is used to create access tokens that make a number of claims.

When using JWT authentication, a token is generated, signed by the server, and sent to the client.
The client then provides this token to the server with each subsequent request to demonstrate user authentication.

How the authentication process works:
Read 11 tweets
Letโ€™s get our series started in which we make our case against token-based AuthZ.

JWTs are like a key and composed of three parts: a header, a payload, and a signature. Image
The payload contains information to identify the owner of the token: user ID, email address, etc.

These are called claims and essentially, they can hold whatever info you may need.
The signature is what makes a JWT secure, but JWTs are usually not encrypted.

The information is encoded (not encrypted), which means it can be decoded.

The way to keep JWTs secure is to make sure they are hashed using a secret.
Read 15 tweets
Understand JSON Web Token Authentication in Javascript

Thread ๐Ÿงต๐Ÿ‘‡ Image
A JSON Web Token, or JWT, is a type of authentication token that is used to identify a user.

It is a JSON object that contains a set of claims, or assertions, about the user.

These claims can be verified by a third party, such as a website or an application.
This information can be verified and trusted because it is digitally signed.

A JWT can also be encrypted so that only the intended recipient can read the contents of the token.
Read 10 tweets
Another new idea for #PenetrationTesting and #Bug-hunting:

Tester:
Enhance the force of #vulnerabilities by doing things like
I discovered a free #URL that leads somewhere else.
Put this in my report and move on ?
To the contrary, changing the #payload allowed me to transform it into a reflected #XSS #vulnerability. Is this the final question?
Obviously not if I have any hope of carrying on.
This web app used #JWT tokens that were transmitted in the bearer header, and for some reason, there were three more cookies that also contained this token.
Only two of them were secure with #HTTP Only.
Just a wild guess.
Read 5 tweets
#FE #BE #JWT

๊ทธ๋ž˜์„œ JWT๋Š” ์–ด๋””์— ๋ณด๊ด€ํ•˜๋Š”๊ฒŒ ์ข‹์„๊นŒ
1.
JWT๋Š” JSON Web Token์œผ๋กœ statelessํ•œ ์›น ํ™˜๊ฒฝ์—์„œ ์œ ์ €๋ฅผ ์ธ์ฆํ•˜๊ธฐ ์œ„ํ•œ ํ† ํฐ์ด๋‹ค.

์„œ๋ฒ„๊ฐ€ ๊ด€๋ฆฌํ•˜๋˜ ์„ธ์…˜๊ณผ ๋‹ฌ๋ฆฌ, ํ† ํฐ ์ž์ฒด์— ๊ถŒํ•œ ์ •๋ณด ๋“ฑ์ด Self-contained๋œ ํ˜•ํƒœ๋กœ์„œ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๊ด€๋ฆฌํ•˜์—ฌ ์„œ๋ฒ„์˜ ๋ถ€๋‹ด์„ ์ค„์ผ ์ˆ˜ ์žˆ๋‹ค.

์ด์— ๋”ฐ๋ฅธ ์žฅ๋‹จ์ ์ด ์กด์žฌํ•˜๋Š”๋ฐ, ์ด๊ฑด ๋‹ค๋ฅธ ์Šค๋ ˆ๋“œ์—์„œ ๋‹ค๋ฃจ๊ฒ ๋‹ค.
2.
๋ฐœ๊ธ‰๋ฐ›์€ JWT๋ฅผ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๊ด€๋ฆฌํ•  ๋•Œ, ์šฐ๋ฆฌ๋Š” ๋ช‡๊ฐ€์ง€ ๊ด€๋ฆฌํฌ์ธํŠธ๋ฅผ ์ƒ๊ฐํ•ด๋ณผ ์ˆ˜ ์žˆ๋‹ค.

1) ํœ˜๋ฐœ์„ฑ
- JWT๋Š” ๋ณดํ†ต ์ธ์ฆ(authentication)์—์„œ ๋ฐœ๊ธ‰๋ฐ›์•„, ์ธ๊ฐ€(authorization)์—์„œ ์‚ฌ์šฉํ•œ๋‹ค. ๋”ฐ๋ผ์„œ persistent ํ•˜์ง€ ์•Š์€ ๊ณณ์—์„œ ๊ด€๋ฆฌํ•  ๊ฒฝ์šฐ, ๋งค๋ฒˆ ๋ฐœ๊ธ‰ํ•ด์•ผํ•˜๋Š” UX์  ์˜ค๋ฅ˜๊ฐ€ ๋ฐœ์ƒํ•œ๋‹ค.
Read 9 tweets
Weโ€™re thrilled to launch the @veramolabs SDK for cheqd ๐Ÿฅณ

cheqd.io/blog/how-weve-โ€ฆ

Our partners are now able to create and manage did:cheqd DIDs more easily, and for the first time on cheqd issue and verify #VerifiableCredentials (VCs) and Verifiable Presentation (VPs).

๐Ÿ‘‡
Having a readily available and transferable set of tools will help speed up adoption!

We knew our partners were eager to know โ€œwhen will I be able to use the cheqd ledger for identity?โ€ and now weโ€™re happy to say โ€œgo have a play right now!โ€. ๐Ÿ”ฅ

๐Ÿ‘‡
Following our research earlier in the year, we explored the development frameworks that our #SSI partners planned to utilise in future. The purpose of it was to determine a suitable toolset for our frens to get building on our network.

๐Ÿ‘‡
Read 11 tweets
๐Ÿ’ก๐–๐ก๐š๐ญ ๐š๐ซ๐ž ๐‰๐–๐“๐ฌ?๐Ÿ’ก

If you work with APIs, you've probably come across JWTs. JWT stands for ๐‰๐’๐Ž๐ ๐–๐ž๐› ๐“๐จ๐ค๐ž๐ง, and it's a JSON document that contains information about a user. We call the properties of a JWT claims.

๐Ÿงต๐Ÿงต๐Ÿงต๐Ÿงต
1/

#API #jwt #auth #WebSecurity
There're two types of JWTs:

๐Ÿ‘‰ ๐ˆ๐ƒ ๐ญ๐จ๐ค๐ž๐ง๐ฌ are tokens carrying user-identifying data like their name and email. You should ๐๐„๐•๐„๐‘ use an ID token to validate access to an API.

๐Ÿ‘‰ ๐€๐œ๐œ๐ž๐ฌ๐ฌ ๐ญ๐จ๐ค๐ž๐ง๐ฌ are tokens with claims about the right to access an API.

2/
We use access tokens to validate access to an API.

A JWT has three components: header, payload, and signature

๐Ÿ‘‡

๐Ÿ”ธ ๐‡๐ž๐š๐๐ž๐ซ: it identifies the document as a JWT and contains metadata, such as the algorithm and the key ID used to sign the token.

3/
Read 7 tweets
Landesportal Baden Wรผrttemberg - da wo Developer glauben, ich hรคtte nicht die Zeit, ihren #JWT aus dem Screenshoot in der Doku mit der Font, in der l und I exact gleich aussehen, abzutippen. ๐Ÿ™ƒ Image
Gut das ich tatsรคchlich zu faul bin, solange mit Bildbearbeitung zu spielen, bis ich das verpixelte Passwort lesen kann. ๐Ÿ˜‚ Image
Das ist der Zustรคndigkeitsfinder (#Xzufi) der Verwaltung des Landes-BW. Darรผber kรถnnen Gemeinden #ozg Formulare und Leistungen fรผr Ihre Region "anmelden". Wenn ich also Zugriff auf die Schnittstelle habe, kรถnnte ich Fake-Formulare erstellen und verbreiten.
Read 5 tweets
Do you know what's in a #JWT token?

Here's a quick thread to learn something about this! ๐Ÿ‘‡
A JWT token (JSON Web Token) is just a string with a well-defined format. A sample token might look like this:

```
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJoZWxsbyI6ImZyb20gSldUIn0.XoByFQCJvii_iOTO4xlz23zXmb4yuzC3gqrWNt3EHrg
```
There are 3 parts separated by a `.` (dot) character:

- header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
- body: eyJoZWxsbyI6ImZyb20gSldUIn0
- signature: XoByFQCJvii_iOTO4xlz23zXmb4yuzC3gqrWNt3EHrg
Read 13 tweets
@patoarchitekci @marekgrabarz @rwitkowski_asc No wiฤ™c tak, przesล‚uchaล‚em w drodze do ... Panie Wล‚adzo, to naprawdฤ™ moja krytyczna ลผyciowa potrzeba ... tyle powiem w temacie wyjล›cia. To teraz o odcinku.

1/n
@patoarchitekci @marekgrabarz @rwitkowski_asc @marekgrabarz temat zna tak i to z praktyki, ลผe aลผ mi trochฤ™ gล‚upio ลผe co nie powiem wyjdzie na hejt :), ale mam nadzieje ลผe raczej bฤ™dzie konstruktywnie i rzeczowo.

2/n
@patoarchitekci @marekgrabarz @rwitkowski_asc Gล‚รณwna rzecz (to samo byล‚o na #AzuredayPL - to do czego mam zastrzeลผenie to przekazywanie ลผe #OpenIDCOnnect to jest czฤ™ล›ฤ‡ #Oauth - tak nie jest. Ogรณlnie temat odcinka nie powinien brzemieฤ‡ #OAUth i nie o to powinny byฤ‡ pytania.

3/n
Read 19 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!