**What header(s) are used in authentication and authorization **
-
The HTTP Authorization request header contains the credentials to authenticate a user agent with a server, usually, but not necessarily, after the server has responded with a 401 Unauthorized status and the WWW-Authenticate header.
-
The HTTP WWW-Authenticate response header defines the authentication method that should be used to gain access to a resource.
What is safe to put into a JWT
Data token
As the JWT serialized form is compact and easy to integrate in HTTP request JWT are often used as a mechanism of data interchange.
ID token:
Issued by an Identity Manager, on behalf of a client application, after authenticating the user. It allows the client application to get user information from the token in a safe way without the need of managing user credentials.
Access token:
Issued by an authorization server, on behalf of a client application, it allows the client application to access a protected resource on behalf of a user. This kind of token is used as an authentication and authorization mechanism by the client application towards the server holding the resource.
How are JWTs validated
Check signature, The last segment of a JWT is the signature, which is used to verify that the token was signed by the sender and not altered in any way. The Signature is created using the Header and Payload segments
Terms
RBAC:
Role-based access control RBAC restricts network access based on a person’s role within an organization and has become one of the main methods for advanced access control. The roles in RBAC refer to the levels of access that employees have to the network.
User Roles:
are permission sets that control access to areas and features within the Professional Archive Platform. Each User account requires a Role assignment.
JWT Token:
JSON Web Token JWT is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.