Gain insights into JWT, OAuth2, and OpenID Connect. Learn about HTTPS, encryption, and handshake techniques, and explore foundational concepts in web API security for enhanced application protection.

Web application developers are always on the lookout for ways to secure their applications. It has become the most fundamental part of any web application considering the rise in the number of cyber-attacks. This course will be your handy guide to the basic terminologies and frameworks related to web application security.

 In this course, you will learn what JWT is, how a JWT is created, and what benefits it provides in token-based authentication. You will learn about why HTTPS was introduced and how it revolutionized the way data is transferred using techniques like encryption and handshake. You will also dive deep into the most commonly used authentication and authorization frameworks called OAuth and OpenId Connect. This course will give you a taste of what web API security is all about and will give you the foundation so you can further your learning of application security.

Web Security and Access Management: JWT, OAuth2 & OpenId Connect

Until now, we have not discussed a very important aspect of JWT, the key management.

Let us look at some questions that can be raised regarding keys.


_1. Will the secret key always remain the same, or will it be changed after regular intervals?_

_2. If the secret key is changed, then what would happen to the tokens signed by older keys?_

_3. If we are using asymmetric signing and the private key is changed, how will we share the new public keys with all the applications?_



We will answer each of these questions one by one.

## Will the secret keys rotate?

Definitely yes! It is not safe or advisable to use the same key for a long time. If someone accidentally gets ahold of our applications key, then the attacker can send malicious requests to our server and we might not even know. If we rotate our keys regularly then we decrease the window of unauthorized access that an attacker gets.

Now the question is, how often should we change the keys? There is no definite answer to this, as it depends on the application. Some might change them every hour and others might keep the same key for a month. It depends on how many tokens you generate and how vulnerable your application is to attacks.


# Will the secret keys rotate?

Definitely yes! It is not safe or advisable to use the same key for a long time. If someone accidentally gets ahold of our applications key, then the attacker can send malicious requests to our server and we might not even know. If we rotate our keys regularly then we decrease the window of unauthorized access that an attacker gets.

Now the question is, how often should we change the keys? There is no definite answer to this, as it depends on the application. Some might change them every hour and others might keep the same key for a month. It depends on how many tokens you generate and how vulnerable your application is to attacks.


This lesson discusses various methods that can be used for key management.

Getting started with Web Application Security

HTTPS Basics

JSON Web Token

OAuth

OpenID Connect

Conclusion

Cryptographic Key Management

Will the secret keys rotate?