Stack Overflow
Stack Overflow

Questions tagged [jwt]

JSON Web Token (JWT, pronounced "jot") is a type of token-based authentication used in space-constrained environments such as HTTP Authorization headers. Use this tag for questions relating to the configuration, generation and usage of JWTs in your code.

JSON Web Token (JWT, pronounced "jot") is a token format for use in space-constrained environments such as HTTP authorization headers. It is defined in RFC 7519.

JWTs encode security "claims" as JSON objects and the token can be signed and or encrypted. JWT is used by the OpenID Connect authenticatication standard.

More information about JWT and libraries for different languages can be found on the official JWT site.

17340 questions
31
votes
4 answers

How to verify firebase ID token with PHP(JWT)?

I have a shared hosting plan which has only PHP(no Java, no node.js). I need to send firebase ID token from my android app and verify it by PHP-JWT. I am following the tutorial: Verify Firebase ID tokens It says: If your backend is in a language…
Eren
  • 2,583
  • 2
  • 31
  • 36
31
votes
2 answers

What's the best practice to renew a token for a WebSocket connection

This might be opinion based, but I still wonder is there a best practice since I'm almost clueless about websocket practices I have a SPA that gets a JWT token from my own OP. It then uses that JWT to connect to other services I own using both REST…
mati.o
  • 1,398
  • 1
  • 13
  • 23
31
votes
7 answers

Validate Google Id Token

I'm using ASP.NET Core to serve an API to an Android client. Android signs in as a Google account and passes a JWT, the ID Token, to API as a bearer token. I have the app working, it does pass the auth checks, but I don't think it's validating the…
Darthg8r
  • 12,377
  • 15
  • 63
  • 100
31
votes
4 answers

How to encrypt JWT security token?

I need to secure my web-token with signing and encryption. I wrote the next lines of code: var tokenHandler = new JwtSecurityTokenHandler(); var tokenDescriptor = new SecurityTokenDescriptor { Subject = new ClaimsIdentity(new[] { …
Qué Padre
  • 2,005
  • 3
  • 24
  • 39
30
votes
7 answers

Payload error in jsonwebtoken

I am making a web application using nodejs and angular cli I'm using JWT to authenticate my login function . But when I process it threw this error Error: Expected "payload" to be a plain object. at validate…
every Bit
  • 399
  • 1
  • 4
  • 18
30
votes
1 answer

What to store in a JWT?

How do you guys deal with the same user on multiple devices? Won't data such as {admin: true} become stale except for the device that changed it? Should this even be in a JWT? If not, and we resort to only putting the user ID, won't that be just…
user1164937
  • 1,979
  • 2
  • 21
  • 29
30
votes
3 answers

JWT Keys - Asymmetric and Symmetric

I understand the difference between symmetric and asymmetric keys. I understand that the keys are used to calculate the signature and then verify them. However diving a little deeper, I'd like to understand a bit more which I'm having trouble…
n00b
  • 5,843
  • 11
  • 52
  • 82
30
votes
3 answers

Roles using JWT

I am new to JWT. I studied a bit about JWT and understood that it is framed as "header.claims.signature". Consider a simple scenario as follows: A customer gets authenticated Customer may have (one or more) roles of admin, member, registered,…
user203687
  • 6,875
  • 12
  • 53
  • 85
30
votes
4 answers

Oauth2 Implicit Flow with single-page-app refreshing access tokens

I am using Thinktecture AuthorizationServer (AS) and it is working great. I would like to write a native javascript single page app which can call a WebAPI directly, however implicit flow does not provide a refresh token. If an AJAX call is made, if…
morleyc
  • 2,169
  • 10
  • 48
  • 108
29
votes
12 answers

IDX20803: Unable to obtain configuration from

I know this question has been answered, but I don't understand what people exactly do (about certificates, ssl) and they all use a localhost but not me. I used this sample as my example OpenIdConnect I'm using: A web app A web API Both are using…
Emy Blacksmith
  • 755
  • 1
  • 8
  • 27
29
votes
1 answer

.NetCore JwtBearerAuthentication not rejecting expired tokens

I am generating JWT's to use with my WebApi project. I'm set the token to expire in one minute so that I can test if it rejects the token when submitted after the expiration date. CreateToken Controller public async Task
Dblock247
  • 6,167
  • 10
  • 44
  • 66
29
votes
2 answers

Recommended best practice for role claims as permissions

The app I am working on is a SPA and we are using JWT Bearer authentication and OpenIdConnect/OAuth2 when communicating with our backend API which uses .NETCore and ASP.NET Identity. Our API endpoints are secured using Custom Policy based…
Pacificoder
  • 1,581
  • 4
  • 18
  • 32
29
votes
3 answers

How to verify JWT signature with JWK in Go?

I have been searching for an example I can understand of how to validate the signature of a JWT with the Go Language. This might be especially tricky since I am using Okta, and it uses JWKs, so it is not especially straight forward. When I receive a…
user3888307
  • 2,825
  • 5
  • 22
  • 32
29
votes
4 answers

How to authenticate a POST request from a chrome extension to my app with JSON web tokens?

Context My HapiJS web application is currently using OAuth 2.0 to access Google APIs. Once a user authenticates in the app, the server generates a JSON Web Token (JWT) which is stored on the client and sent back in the Authorization header of…
Anita
  • 2,741
  • 27
  • 28
29
votes
1 answer

Decoding JWT tokens without the secret

I created a token with the private key by JWT, but when I try to decode it on http://kjur.github.io/jsjws/tool_jwt.html, I found that the token can be decoded without any key given. So is it correct that the JWT token is just a signing? How to…
user440446
  • 417
  • 1
  • 5
  • 11
1 2 3
99 100