Talk:JSON Web Token

JavaScript Low‑importance

	This article is within the scope of WikiProject JavaScript, a collaborative effort to improve the coverage of articles related to JavaScript, and to the development of user scripts for use on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.JavaScriptWikipedia:WikiProject JavaScriptTemplate:WikiProject JavaScriptJavaScript articles
Low	This article has been rated as Low-importance on the importance scale.

Internet Low‑importance

	Internet portal This article is within the scope of WikiProject Internet, a collaborative effort to improve the coverage of the Internet on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.InternetWikipedia:WikiProject InternetTemplate:WikiProject InternetInternet articles
Low	This article has been rated as Low-importance on the project's importance scale.

Computing: Software Low‑importance

This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.ComputingWikipedia:WikiProject ComputingTemplate:WikiProject ComputingComputing articles

Low

This article has been rated as Low-importance on the project's importance scale.

This article is supported by WikiProject Software (assessed as Low-importance).

This article is supported by WikiProject Computer Security (assessed as Low-importance).

Things you can help WikiProject Computer Security with:

Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information...

Answer question about Same-origin_policy
Review importance and quality of existing articles
Identify categories related to Computer Security
Tag related articles
Identify articles for creation (see also: Article requests)
Identify articles for improvement
Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc.
Find editors who have shown interest in this subject and ask them to take a look here.

Maintenance and rating of JavaScript articles[edit]

Concerning editing and maintaining JavaScript-related articles...

Collaboration...[edit]

If you are interested in collaborating on JavaScript articles or would like to see where you could help, stop by Wikipedia:WikiProject JavaScript and feel free to add your name to the participants list. Both editors and programmers are welcome.

Where to list JavaScript articles[edit]

We've found over 300 JavaScript-related articles so far. If you come across any others, please add them to that list.

User scripts[edit]

The WikiProject is also taking on the organization of the Wikipedia community's user script support pages. If you are interested in helping to organize information on the user scripts (or are curious about what we are up to), let us know!

If you have need for a user script that does not yet exist, or you have a cool idea for a user script or gadget, you can post it at Wikipedia:User scripts/Requests. And if you are a JavaScript programmer, that's a great place to find tasks if you are bored.

How to report JavaScript articles in need of attention[edit]

If you come across a JavaScript article desperately in need of editor attention, and it's beyond your ability to handle, you can add it to our list of JavaScript-related articles that need attention.

Rating JavaScript articles[edit]

At the top of the talk page of most every JavaScript-related article is a WikiProject JavaScript template where you can record the quality class and importance of the article. Doing so will help the community track the stage of completion and watch the highest priority articles more closely.

Thank you. The Transhumanist 01:10, 12 April 2017 (UTC)[reply]

Propose merging criticism and vulnerabilities sections[edit]

It looks like there are now two sections for vulnerabilities, which is a bit redundant and confusing. Also, I'm not sure if the statement about HMAC-SHA256 is supported. I've put a citation needed template around it for the time being, but it seems like an WP:EXTREME claim without at least an example (although a statement from a WP:RS is preferable).

@BrnVrn38: Pinging since you created the section

--Elephanthunter (talk) 19:13, 1 August 2018 (UTC)[reply]

I hesitated a lot, but there is a real difference between a vulnerability, a real failure ... and "just" Criticisms which are opinions :structured, argumented, alternatives, valuable point of views but still debatable

These criticisms could be embedded in the text, but I fear they would upset some JWT enthousiast. So I am not embarking on this alone.

As for the HMAC-SHA256, I added a link to Wikipedia's MAC definition. All MAC by definition uses a secret key. (vs. signatures that use Public/Private key.)

You would make a "vulnerabilities" or a "Criticism" or a "Vulnerabilities & Criticism" or else ??

"Vulnerabilities and criticism" works well. Changed the ampersand to an "and" per MOS:AMP and changed the casing per MOS:HEAD. Um... but you can only generate the a valid HMAC if you are in possession of the secret key. In the case of a JWT being handed to the browser, the browser would not have the secret key, so a HMAC could not be manipulated and regenerated. The words "totally insecure" still don't appear to apply. It is possible I am misunderstanding something though, so please if you have a WP:RS with an explanation of how JWT is totally insecure that would be helpful. It's also possible the explanation just needs reworded. --Elephanthunter (talk) 18:55, 2 August 2018 (UTC)[reply]

Propose merging and updating some references[edit]

There seems to be a bunch of reference that are to the obsoleted drafts. i.e.,

"draft-ietf-jose-json-web-signature-41 - JSON Web Signature (JWS)". tools.ietf.org. Retrieved May 8, 2015.
"draft-ietf-jose-json-web-encryption-40 - JSON Web Encryption (JWE)". tools.ietf.org. Retrieved May 8, 2015.
"draft-ietf-jose-json-web-algorithms-40 - JSON Web Algorithms (JWA)". tools.ietf.org. Retrieved May 8, 2015.

They should be replaced by the following, IMHO.

Jones, Michael B.; Bradley, Bradley; Sakimura, Sakimura (May 2015). JSON Web Token (JWT). IETF. doi:10.17487/RFC7519. ISSN 2070-1721. RFC 7519.

which is the first reference entry. Thoughs?

Added link to JOSE standard[edit]

I hope that someone will add article about it, it's most likely when there is read link. Reference: JOSE - JSON Object Signing and Encryption, Red Hat, April 1, 2015, retrieved September 30, 2022 jcubic (talk) 17:45, 30 September 2022 (UTC)[reply]