Gain insights into JWT, OAuth2, and OpenID Connect. Learn about HTTPS, encryption, and handshake techniques, and explore foundational concepts in web API security for enhanced application protection.

Web application developers are always on the lookout for ways to secure their applications. It has become the most fundamental part of any web application considering the rise in the number of cyber-attacks. This course will be your handy guide to the basic terminologies and frameworks related to web application security.

 In this course, you will learn what JWT is, how a JWT is created, and what benefits it provides in token-based authentication. You will learn about why HTTPS was introduced and how it revolutionized the way data is transferred using techniques like encryption and handshake. You will also dive deep into the most commonly used authentication and authorization frameworks called OAuth and OpenId Connect. This course will give you a taste of what web API security is all about and will give you the foundation so you can further your learning of application security.

Web Security and Access Management: JWT, OAuth2 & OpenId Connect

In this lesson, we will look at how JWTs can be used as an authentication and authorization mechanism. As mentioned in the previous lesson, we will be discussing signed JWTs.

Here is the basic flow of JWT authentication:

1. The client sends a request to the server with user credentials.
2. The server generates a signed JWT for the client if the credentials are valid.
3. The server sends the token back to the client which is stored in the browser.
4. For every subsequent request, the client sends the token back to the server.
5. The server validates the token, and if it is valid then grants access to the client.



# How tokens are signed

There are two mechanisms to sign a token:

## Symmetric Signatures

When a JWT is signed using a secret key, then it is called a symmetric signature. This type of signature is done when there is only one server that signs and validates the token. The same secret key is used to generate and validate the token. The token is signed using HMAC.


HMAC stands for **Hashing for Message Authentication Code**. It's a message authentication code obtained by running a cryptographic hash function (like MD5, SHA1, and SHA256) over the data (to be authenticated) and a shared secret key

![](/api/collection/6650775272947712/6366281604268032/page/5107034270728192/image/4555060743766016)

## Asymmetric Signatures

This signature is suitable for distributed scenarios.
Suppose there are multiple applications that can validate a given JWT. If we use a secret key to sign a JWT, then these applications will need that key to validate the token.

It is not possible to share the secret key amongst all the applications, as it may get leaked. To solve this issue, asymmetric signing is done. Asymmetric signing uses a private-public key pair for signing. 
There is one server that has the private key. This server generates the tokens, signs them using the private key, and shares it with the client.

Now the client can send this token to any application and they can validate it using the public key.
This signature is done using RSA. It is asymmetric encryption and a digital signature algorithm.

![](/api/collection/6650775272947712/6366281604268032/page/5107034270728192/image/4841501323427840)

This lesson discusses JSON web token validation.

Getting started with Web Application Security

HTTPS Basics

JSON Web Token

OAuth

OpenID Connect

Conclusion

JWT Validation