Explore foundational concepts of REST API security focusing on OAuth2 authorization, JWT structure, and effective token handling. This quiz assesses your understanding of securing APIs, token validation, and best practices for safe implementation.
Which OAuth2 grant type is typically used when a user wants a third-party application to access their data without revealing their password, such as logging in with an external account?
Explanation: The Authorization Code grant is most commonly used to allow applications to access user data without sharing the user's password, supporting secure exchanges. Resource Owner Password grant involves sharing credentials directly, which is less secure and discouraged for third-party apps. Implicit Grant is less secure as it exposes tokens directly to the client. Device Flow is intended for devices without browsers and is not suitable for regular web logins.
What are the three main parts of a JSON Web Token (JWT) in order?
Explanation: A standard JWT consists of three parts separated by dots: Header, Payload, and Signature. The header contains metadata, the payload holds claims, and the signature provides verification. Other orders presented are incorrect, as switching them would violate the JWT standard. Proper ordering is essential for correct parsing and validation.
Why is it important for access tokens used in REST APIs to have an expiration time?
Explanation: Setting expiration times for tokens minimizes the risk period if they are compromised, reducing possible damage. Network latency is unrelated to token expiration. Secure transmission is achieved through proper channels, not by setting expiration times. Expiration does not affect the actual size of the token.
What is the primary purpose of the 'scope' parameter in OAuth2 tokens?
Explanation: The 'scope' parameter limits token permissions to specific actions or resources, enhancing security by reducing unnecessary access. It does not specify signature methods or user agent types, which are done elsewhere. Token expiration is handled in a different parameter, not via scope.
Which method allows an authorization server to immediately invalidate a token, such as when a user logs out or revokes access?
Explanation: A Token Revocation Endpoint enables clients to ask the server to invalidate tokens, ensuring they can't be used further if compromised or the user logs out. Token encryption and signing relate to confidentiality and integrity, not direct invalidation. Token sharing is unrelated and could be insecure if done improperly.
Why is the signature included in a JWT (JSON Web Token)?
Explanation: The signature ensures the contents of the JWT are authentic and unchanged since issuance, supporting data integrity and authenticity. JWTs can store session-like data in the payload, but this is separate from the signature's purpose. URL-friendliness is achieved through token encoding, not signing. Speed depends on implementation, not the presence of a signature.
In the context of REST API requests, what is the correct way to include a Bearer token?
Explanation: Tokens should be placed in the Authorization header using the 'Bearer' prefix to ensure secure and standard handling. Query parameters can expose tokens in logs and URLs, making them vulnerable. A custom header is non-standard and may not be supported. Embedding tokens in the URL path is insecure and discouraged.
Why should refresh tokens be stored securely and never exposed to the frontend in a public-facing application?
Explanation: Refresh tokens grant the ability to get new access tokens silently, so exposing them increases the risk of unauthorized access. Refresh tokens do not always store sensitive user data, as they usually function as opaque credentials. Their size is largely irrelevant for security. Tokens should be sent over secure protocols like HTTPS, not UDP.
In JWTs, what is the purpose of the 'aud' (audience) claim?
Explanation: The 'aud' claim ensures the token is only processed by its intended recipient, protecting against misuse. User information like email is typically in the payload, but not under 'aud'. Public keys are distributed differently and not through 'aud'. Expiration is handled by the 'exp' claim, not 'aud'.
Which token type helps prevent Cross-Site Request Forgery (CSRF) attacks in web applications?
Explanation: CSRF tokens are specifically designed to prevent unauthorized commands transmitted from a user that the web application trusts, blocking CSRF attacks. Refresh tokens and OAuth2 access tokens authenticate users but do not prevent CSRF on their own. The JWT header does not deal with CSRF protection.