Test your understanding of common authentication flows using JSON Web Tokens (JWT). This quiz covers the basics of JWT structure, secure storage, validation processes, and token expiration best practices to help reinforce core concepts of modern authentication.
Which part of a JWT contains the token's claims, such as user information and permissions?
Explanation: The payload of a JWT holds the claims about the user or the data being transferred. The header contains metadata about the token, while the signature is used to verify the token's integrity. There is no 'footer' section in JWTs, making it an incorrect option.
Why is it important to validate the signature of a JWT before trusting its claims?
Explanation: Validating the JWT signature helps ensure that the data in the token has not been altered by unauthorized parties. The signature does not make the token shorter—rather, it adds to its length. It does not encrypt the token; JWTs are only encoded, not encrypted by default. Signature validation never adds extra claims.
Which storage location is recommended for storing JWTs in a web browser to help defend against cross-site scripting (XSS) attacks?
Explanation: HTTP-only cookies cannot be accessed by client-side scripts, reducing the risk of exposure to XSS attacks. In contrast, local storage and session storage can both be accessed via JavaScript and are more vulnerable to XSS. IndexedDB also allows read access by scripts, so it is not the safest choice for sensitive tokens.
What is the typical purpose of the 'exp' claim in a JWT?
Explanation: The 'exp' (expiration) claim determines the lifetime of the token, after which it becomes invalid. It does not specify the signing algorithm or encryption; the algorithm is in the header. Users' permissions are usually in the payload as custom claims, not in the 'exp' field.
If a JWT has expired, which authentication flow is typically used to obtain a new token without asking the user to log in again?
Explanation: The refresh token flow allows applications to securely obtain a new access token without user intervention by using a separate refresh token. The implicit grant flow is unrelated to token renewal. Single sign-on is about using one login for multiple applications. Token hashing is a method used for securing stored tokens, not refreshing them.
A server must perform which task to detect if a JWT has been altered during transmission?
Explanation: Verifying the digital signature ensures that the JWT's data has not been modified since it was issued. Re-encoding the payload would not detect tampering. Regenerating the secret key is unrelated and can break validation. Storing the JWT in local storage is a storage concern, not a detection method.
Why should the secret key used for signing JWTs never be shared with clients or included in the token?
Explanation: Keeping the secret key hidden ensures that only trusted servers can generate valid tokens, maintaining security. Sharing the key would compromise the system by allowing clients to forge tokens. Making the token readable and cross-site requests are unrelated to key security. Token length is also unaffected by secret key exposure.
Which practice is considered unsafe when working with JWTs in client-side applications?
Explanation: Storing tokens in local storage exposes them to JavaScript, making them vulnerable to XSS attacks. Using short-lived tokens, token validation per request, and setting expiration are recommended best practices for security.
How many parts are separated by dots in a typical JWT, such as eyJ...eyJ...SflK?
Explanation: A standard JWT is composed of three parts: the header, the payload, and the signature, each base64-encoded and separated by dots. Two and one are too few and do not capture the signature. There are no four parts in a standard JWT structure.
Which event should cause a server to reject an incoming JWT during authentication?
Explanation: The 'exp' claim defines the expiration time, so expired JWTs should be rejected to maintain security. Public information in the payload is common and not grounds for invalidation. Base64 encoding in the header and use of common algorithms are standard aspects of JWTs, not security violations.