While working on one of the security-related aspects of the platform i’m building, i came across JWT specification which i find very interesting and thought will share with you the notes i made while reading:
- JWT acronym stands for “JSON Web Tokens”.
- Definition of a security token:
- encrypted data structure (in this case of JSON format) which contains:
- information about the issuer and subject (claims)
- proof of authenticity (digital signature)
- expiration (validity) time
- Suggested pronunciation of JWT is the same as the English word “jot”.
- Basic facts:
- JWT is an emerging Web API’s security token standard
- developed by IETF (JSON Web Token (JWT) spec.)
- used by security protocols:
- OAuth 2.0 (JWT Profile for OAuth 2.0 spec.)
- OpenID Connect (mandated)
- Why JSON-based standard?
- XML-based SAML data format, exchanged over SOAP protocol offered a ton of encryption and signature options but was percieved as a “heavy” technology and of not…
View original post 328 more words