JWT & Stateless Security
Stateless security with JWT, token generation and validation, security filters, refresh tokens
1What is the structure of a JWT (JSON Web Token)?
What is the structure of a JWT (JSON Web Token)?
回答
A JWT consists of three parts separated by dots: Header (algorithm and type), Payload (claims/data), and Signature (integrity verification). Each part is Base64URL encoded. This structure allows secure and verifiable information transmission between two parties.
2Which JWT claim represents the subject (user) of the token?
Which JWT claim represents the subject (user) of the token?
回答
The 'sub' (subject) claim identifies the JWT's subject, typically the authenticated user (e.g., user ID or username). It's a standard claim defined in RFC 7519. Other standard claims include 'iss' (issuer), 'exp' (expiration), 'iat' (issued at), 'aud' (audience), and 'jti' (JWT ID).
3What is the main difference between HMAC and RSA signing algorithms for JWT?
What is the main difference between HMAC and RSA signing algorithms for JWT?
回答
HMAC (e.g., HS256) uses a shared symmetric secret key to sign and verify, while RSA (e.g., RS256) uses an asymmetric key pair (private to sign, public to verify). RSA is preferable when multiple services need to verify tokens without accessing the signing key, as in microservices architectures.
Which JWT claim defines the token expiration date?
How should a client send a JWT in an HTTP REST request?
+17 面接問題