Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What is difference between private and public claims on jwt

Tags:

authentication

jwt

claims

What is difference between private and public claims on jwt?

I'm confused with the difference between those two claims. From what I understand they are both custom claims. So what is the difference?

like image 237
NewDev Avatar asked Mar 11 '18 01:03

NewDev

People also ask

What is public and private key in JWT?

The jwt token is signed using private key. The auth server provides the public key publicly on a url in the form of JSON Web Key Set(JWKS). During verification the public keys are fetched. Here is an example of JWKS.

What are the three types of claims uses in JWT?

JWT Claims The value of a claim can be any JSON object. There are three types of claims: "registered," "public," and "private." You can find the list of registered and public claims in the official IANA Registry. You can also add any other custom claim to a JWT; these are known as "private claims."

What is private key in JWT?

private_key_jwt is one of client authentication methods defined in OpenID Connect Core 1.0, 9. Client Authentication. On a token request, a client crafts a digitally signed JWT assertion and includes it to the request.

What are the 3 parts of JWT?

Figure 1 shows that a JWT consists of three parts: a header, payload, and signature. The header typically consists of two parts: the type of the token, which is JWT, and the algorithm that is used, such as HMAC SHA256 or RSA SHA256. It is Base64Url encoded to form the first part of the JWT.

2 Answers

Public claims

Custom claim names that are required to be collision resistant. Their names should be UUIDs or prefixed by a URL to create a safe namespace for them and avoid collisions.

Private claims

Custom claim names that are not required to be collision resistant.

What is difference between private and public claims on jwt?

Only difference is public claims are required to be universally collision resistant while private claims are not.

like image 188
Mike Ezzati Avatar answered Oct 09 '22 03:10

Mike Ezzati

Public claims are like public API that defined for public consumption. They should be well documented. RFC7519 defines several ways to do it.

  1. You can register public claim name in the public IANA "JSON Web Token Claims" registry specified in RFC. There is whole process of approval around it. See section 10.1 https://www.rfc-editor.org/rfc/rfc7519#section-10.1
  2. You have to make sure that public claim name is collision-resistant, i.e. are highly unlikely to collide with other names. Examples are UUID, OID or Domain names

Private claims are claims that are known only to the producer and consumer of a JWT. Private claim names are not collision-resistant and should be used with clear understanding of this and care...

like image 31
mikmela Avatar answered Oct 09 '22 05:10

mikmela
Sign in to Comment

Related questions

How do I handle authentication with Devise when using multiple models in Rails 3.2 App
How does Mongolab REST API authenticate
C# example of downloading GitHub private repo programmatically
CouchDb read authentication using lists
How to check if a Django user is still logged in from the client side only?
UserManager.FindAsync not working with custom implementation of UserStore
How to combine advantages of localStorage and sessionStorage
Aws Cognito: How to assign user to a user group when user signs up
Django: Creating a superuser with a custom User model
Add authentication for certain pages of Jekyll site
How do I check whether I have access to a repository without cloning?
Access Token for Dockerhub
Is it a bad practice to put external users in Active Directory?
Facebook API without client authentication for public content
Can I use wildcards in the web.config location path attribute?
org.apache.http.client.ClientProtocolException
How to hide templates with AngularJS ngView for unauthorized users?
~/.subversion/auth/svn.simple/<hash> algorithm?
Swift iOS Client Certificate Authentication
HttpContext.Current.Session is null + OWIN

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!