Stack Overflow
Stack Overflow

Questions tagged [jwt]

JSON Web Token (JWT, pronounced "jot") is a type of token-based authentication used in space-constrained environments such as HTTP Authorization headers. Use this tag for questions relating to the configuration, generation and usage of JWTs in your code.

JSON Web Token (JWT, pronounced "jot") is a token format for use in space-constrained environments such as HTTP authorization headers. It is defined in RFC 7519.

JWTs encode security "claims" as JSON objects and the token can be signed and or encrypted. JWT is used by the OpenID Connect authenticatication standard.

More information about JWT and libraries for different languages can be found on the official JWT site.

17340 questions
52
votes
2 answers

What is an opaque token?

And what does it mean that they are in a "proprietary format"? I am reading about JWT refresh tokens and they are opaque tokens, but I don't understand the term.
sloneorzeszki
  • 1,274
  • 3
  • 12
  • 22
52
votes
3 answers

How to send a token with an AJAX request from jQuery

I use express-jwt and create my token via jQuery and save it in my localStorage with: $.ajax({ url: "http://localhost:8080/login", type: 'POST', data: formData, error : function(err) { console.log('Error!', err) }, success:…
larz
  • 813
  • 1
  • 12
  • 29
52
votes
5 answers

Should jwt web token be encrypted?

I was reading article on JWT web token as an access token that is being response to the user. Some of it mention that the web token should be able to be decoded by the user. Does it means that it is not a good practice to decrypt the entire web…
vincentsty
  • 2,963
  • 7
  • 34
  • 51
51
votes
3 answers

AWS cognito: What's the difference between Access and Identity tokens?

Just reading the docs, they seem very similar to me so I can't really discern why to use one over the other. Although identity token seems better since it has custom attributes on it from the user pool (eg: custom:blah and the default ones like name…
Zombies
  • 25,039
  • 43
  • 140
  • 225
50
votes
7 answers

JwtSecurityToken doesn't expire when it should

I am currently using the JwtSecurityToken class in System.IdentityModels.Tokens namespace. I create a token using the following: DateTime expires = DateTime.UtcNow.AddSeconds(10); JwtSecurityTokenHandler handler = new JwtSecurityTokenHandler(); var…
tkd_aj
  • 993
  • 1
  • 9
  • 16
50
votes
2 answers

Does securing a REST application with a JWT and Basic authentication make sense?

I have a Spring REST application which at first was secured with Basic authentication. Then I added a login controller that creates a JWT JSON Web Token which is used in subsequent requests. Could I move the following code out of the login…
Stephane
  • 11,836
  • 25
  • 112
  • 175
49
votes
4 answers

Enable Authorize button in springdoc-openapi-ui for Bearer Token Authentication (JWT)

How to enable "Authorize" button in springdoc-openapi-ui (OpenAPI 3.0 /swagger-ui.html) for Bearer Token Authentication, for example JWT. What annotations have to be added to Spring @Controller and @Configuration classes?
Eugene Khyst
  • 9,236
  • 7
  • 38
  • 65
49
votes
2 answers

JWT and CSRF differences

I've been reading about JWT, and from what I understand, it's a token that the server sends after a user logs in. The user will have to send that token with all future HTTP requests. This creates a stateless way for the server to verify a user's…
Caciano
  • 747
  • 1
  • 6
  • 13
49
votes
4 answers

How to design a good JWT authentication filter

I am new to JWT. There isn't much information available in the web, since I came here as a last resort. I already developed a spring boot application using spring security using spring session. Now instead of spring session we are moving to JWT. I…
arunan
  • 922
  • 1
  • 17
  • 25
49
votes
2 answers

What is the difference between id_token and access_token in Auth0

In Auth0 you can use refresh tokens. In this link, we can see many returned parameters: lock.showSignin({ authParams: { scope: 'openid offline_access' } }, function (err, profile, id_token, access_token, state, refresh_token) { // store…
Scott Coates
  • 2,462
  • 5
  • 31
  • 40
49
votes
1 answer

How can I decode a google OAuth 2.0 JWT (OpenID Connect) in a node app?

I'm having a heck of a time here trying to use google OAuth to authenticate users in my node express app. I can successfully do the OAuth, which returns a response like so: { access_token: 'token string', id_token: 'id.string', expires_in:…
ThePuzzleMaster
  • 920
  • 2
  • 10
  • 18
48
votes
4 answers

Why Same-origin policy isn't enough to prevent CSRF attacks?

First of all, I assume a backend that control inputs to prevent XSS vulnerabilities. In this answer @Les Hazlewood explain how to protect the JWT in the client side. Assuming 100% TLS for all communication - both during and at all times after…
gabrielgiussi
  • 9,245
  • 7
  • 41
  • 71
47
votes
13 answers

How to extract token string from Bearer token?

For example I have following Bearer JWT in my header, what's a elegant way to extract the token itself? Basically anything after Bearer. Since this could be in other formats, I don't want to assume it always starts with Bearer. I'm using…
ycshao
  • 1,768
  • 4
  • 18
  • 32
47
votes
3 answers

How to implement authentication in Next.js

I am new to Next.js and I am struggling with the authentication system using jwt token. I want to know what is the best / standard way to store the jwt token and routing with the authentication system. I have been trying different approaches, from…
Kongpon Charanwattanakit
  • 689
  • 2
  • 7
  • 13
46
votes
1 answer

Generate JWT Token in Keycloak and get public key to verify the JWT token on a third party platform

There is an Endpoint to a backend server which gives a JSON response on pinging and is protected by an Apigee Edge Proxy. Currently, this endpoint has no security and we want to implement Bearer only token authentication for all the clients making…
Amit Yadav
  • 4,422
  • 5
  • 34
  • 79
1 2 3
99 100