FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login
    1. Home
    2. akira
    3. Topics
    A
    • Profile
    • Following 0
    • Followers 0
    • Topics 2
    • Posts 13
    • Best 0
    • Controversial 0
    • Groups 1

    Topics created by akira

    • A

      If I can decode a JWT, then how are they secure?

      Q&A
      • • • akira
      2
      0
      Votes
      2
      Posts
      1.2k
      Views

      A

      Good question.

      JWTs are either signed or encrypted. For the most part, you will encounter signed JWTs. When a JWT is created by an authorization server, it is signed. The signature essentially functions as a way to say "this payload has been signed using this algorithm. If the payload is different than what was signed, then this JWT is invalid." It is important to not pass sensitive data in a JWT payload for the reason that it can be viewed, but if a malicious actor tries to tamper with the JWT, the signature will no longer match it, and it will be invalid.

    • A

      What are the different servers called in an OAuth flow?

      Q&A
      • • • akira
      2
      0
      Votes
      2
      Posts
      728
      Views

      A

      The server that issues and signs the JWT is called the Authorization Server. This is what FusionAuth is, as we issue and sign the JWTs which are then presented to other servers via API calls.

      The servers that are connected to resources that a user is trying to access by first authenticating with a JWT are called Resource Servers.

      So, for example, if you have a ToDo app, where a user is trying to access a list of ToDo items, the user would first authenticate with the external IdP. Then the JWT is issued by that IdP, passed to the client, and then the client would present that JWT to the resource server to gain access to the ToDo items.

      For what it's worth, in SAML the auth server coincides with the IdP, and the resource server coincides with the Relying Party.