OAuth 2.0 vs JWT MCQ 60 Tests With Answers (2026)
PerfectNotes TeamUpdated: May 2026~30 min practice 60 Questions Β· 3 Levels 60 Questions Β· 3 Levels
OAuth 2.0 and JWT are fundamental technologies in modern web security, yet they are frequently confused or misunderstood. OAuth 2.0 is an authorization *framework* that defines how applications grant delegated access to resources. JSON Web Tokens (JWTs) are a specific *token format* used to represent claims about a user or service. These 60 carefully structured MCQs take you from understanding core concepts through deep technical mechanics, cryptographic implementations, and advanced security patterns.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering definitions, OAuth roles, JWT base structure, and bearer token schemas), Concepts (covering registered claims, grant types, signature validation, OIDC, and revocation challenges), and Advanced (covering PKCE code verifiers, JWKS key rotation, none-algorithm bypasses, token blocklists, DPoP, and JWE). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate certification environments. The interactive engine tracks your progress and identifies knowledge gaps across API token lifecycles and microservice security architectures.
Contents
- 1.Basics (20 Questions)Definitions Β· JWT structure Β· OAuth roles Β· bearer tokens
- 2.Concepts (20 Questions)Claims Β· grant types Β· token validation Β· OIDC
- 3.Advanced (20 Questions)PKCE Β· JWKS Β· cryptography Β· token binding Β· revocation
- 4.Conclusionsummary Β· next steps Β· study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept Β· definition Β· key fact table
- 7.FAQcommon questions answered
OAuth 2.0 vs JWT β Basics
1What is the primary purpose of the OAuth 2.0 protocol?
CorrectA: To provide a standardized authorization framework for delegated access
OAuth 2.0 is an authorization framework that enables delegated access. It allows users to grant third-party applications access to their resources without sharing their passwords. This is fundamentally different from password encryption or API formatting.
IncorrectA: To provide a standardized authorization framework for delegated access
OAuth 2.0 is an authorization framework that enables delegated access. It allows users to grant third-party applications access to their resources without sharing their passwords. This is fundamentally different from password encryption or API formatting.
2What does the acronym JWT stand for in modern web development?
CorrectC: JSON Web Token
JWT stands for JSON Web Token. It is a compact, self-contained way to transmit information as a JSON object that can be cryptographically signed and/or encrypted. JWTs are widely used in OAuth 2.0 implementations and modern API authentication.
IncorrectC: JSON Web Token
JWT stands for JSON Web Token. It is a compact, self-contained way to transmit information as a JSON object that can be cryptographically signed and/or encrypted. JWTs are widely used in OAuth 2.0 implementations and modern API authentication.
3Which statement best describes the fundamental difference between OAuth 2.0 and JWT?
CorrectB: OAuth 2.0 is an authorization framework, while JWT is a specific token data format
OAuth 2.0 is an authorization protocol/framework that defines how applications can grant delegated access. JWT is a specific token format that can be used within OAuth 2.0 implementations (along with other token formats). They serve different purposes and are complementary.
IncorrectB: OAuth 2.0 is an authorization framework, while JWT is a specific token data format
OAuth 2.0 is an authorization protocol/framework that defines how applications can grant delegated access. JWT is a specific token format that can be used within OAuth 2.0 implementations (along with other token formats). They serve different purposes and are complementary.
4How many distinct, encoded parts make up a standard JSON Web Token (JWT)?
CorrectD: Three
A standard JWT consists of three parts: the Header (algorithm and token type), the Payload (claims), and the Signature. These are separated by periods (.) in the encoded format: header.payload.signature.
IncorrectD: Three
A standard JWT consists of three parts: the Header (algorithm and token type), the Payload (claims), and the Signature. These are separated by periods (.) in the encoded format: header.payload.signature.
5What specific character is used to visually separate the different sections of a standard JWT?
CorrectC: A period (`.`)
Periods (`.`) are used to separate the three Base64Url-encoded sections of a JWT: header.payload.signature. This standardized format ensures compatibility across different JWT libraries and implementations.
IncorrectC: A period (`.`)
Periods (`.`) are used to separate the three Base64Url-encoded sections of a JWT: header.payload.signature. This standardized format ensures compatibility across different JWT libraries and implementations.
6Which of the following is NOT a standard, recognized role defined in the OAuth 2.0 framework?
CorrectA: Token Validator
The four standard roles in OAuth 2.0 are: Resource Owner (the user), Client (the application), Authorization Server (issues tokens), and Resource Server (holds protected data). "Token Validator" is not a defined role in the OAuth 2.0 specification.
IncorrectA: Token Validator
The four standard roles in OAuth 2.0 are: Resource Owner (the user), Client (the application), Authorization Server (issues tokens), and Resource Server (holds protected data). "Token Validator" is not a defined role in the OAuth 2.0 specification.
7In a standard JWT, which section specifically dictates the cryptographic signing algorithm being used (e.g., HS256)?
CorrectD: The Header
The JWT Header contains metadata about the token, including the "alg" field that specifies the cryptographic algorithm used for signing (e.g., HS256, RS256). The Header is always the first part of a JWT.
IncorrectD: The Header
The JWT Header contains metadata about the token, including the "alg" field that specifies the cryptographic algorithm used for signing (e.g., HS256, RS256). The Header is always the first part of a JWT.
8What does the term "Client" refer to in the context of an OAuth 2.0 flow?
CorrectB: The application requesting access to a protected resource on behalf of the user
In OAuth 2.0, the Client is the application (web app, mobile app, etc.) that wishes to access protected resources on behalf of the user. It is not the user themselves, nor the server infrastructure.
IncorrectB: The application requesting access to a protected resource on behalf of the user
In OAuth 2.0, the Client is the application (web app, mobile app, etc.) that wishes to access protected resources on behalf of the user. It is not the user themselves, nor the server infrastructure.
9In OAuth 2.0 terminology, what is the "Resource Server"?
CorrectC: The API or server that holds the protected data being requested by the client
The Resource Server is the API or service that hosts the protected resources (user data, files, etc.). It validates access tokens and returns the requested resource to authorized clients.
IncorrectC: The API or server that holds the protected data being requested by the client
The Resource Server is the API or service that hosts the protected resources (user data, files, etc.). It validates access tokens and returns the requested resource to authorized clients.
10What is a "Claim" in the context of a JSON Web Token?
CorrectD: A piece of information asserted about a subject, stored as a key-value pair within the payload
A Claim in a JWT is a specific piece of information (like user ID, email, role) represented as a key-value pair in the payload. Claims can be registered (standard) like "sub" and "exp", or custom claims defined by the application.
IncorrectD: A piece of information asserted about a subject, stored as a key-value pair within the payload
A Claim in a JWT is a specific piece of information (like user ID, email, role) represented as a key-value pair in the payload. Claims can be registered (standard) like "sub" and "exp", or custom claims defined by the application.
11Which part of a JWT mathematically prevents the token's data from being tampered with by a malicious user?
CorrectA: The Signature
The Signature is created by signing the header and payload with a secret key. If an attacker modifies the payload, the signature becomes invalid, and the server will reject the tampered token.
IncorrectA: The Signature
The Signature is created by signing the header and payload with a secret key. If an attacker modifies the payload, the signature becomes invalid, and the server will reject the tampered token.
12Can a standard JWT be decoded and read by someone who does not possess the secret key?
CorrectB: Yes, the header and payload are simply Base64Url encoded, meaning anyone can decode and read them
JWTs are encoded but not encrypted by default. Base64Url encoding is easily reversible, so anyone can decode the header and payload. The signature only protects against tampering, not visibility. For confidentiality, JWE (JSON Web Encryption) must be used.
IncorrectB: Yes, the header and payload are simply Base64Url encoded, meaning anyone can decode and read them
JWTs are encoded but not encrypted by default. Base64Url encoding is easily reversible, so anyone can decode the header and payload. The signature only protects against tampering, not visibility. For confidentiality, JWE (JSON Web Encryption) must be used.
13In OAuth 2.0, what is the specific function of a "Scope"?
CorrectC: A mechanism to limit the specific permissions and access rights granted to the client application
Scopes define the specific permissions or access rights granted to a client. For example, "read:profile" might allow reading a user's profile, while "write:posts" allows creating posts. Users authorize specific scopes during the OAuth flow.
IncorrectC: A mechanism to limit the specific permissions and access rights granted to the client application
Scopes define the specific permissions or access rights granted to a client. For example, "read:profile" might allow reading a user's profile, while "write:posts" allows creating posts. Users authorize specific scopes during the OAuth flow.
14Which type of token is used in OAuth 2.0 to obtain a new access token without requiring the user to manually re-authenticate?
CorrectB: Refresh Token
A Refresh Token is a long-lived token used to obtain new access tokens without requiring the user to re-authenticate. When an access token expires, the client exchanges the refresh token for a new access token.
IncorrectB: Refresh Token
A Refresh Token is a long-lived token used to obtain new access tokens without requiring the user to re-authenticate. When an access token expires, the client exchanges the refresh token for a new access token.
15Does the OAuth 2.0 specification strictly require the use of JWTs for its access tokens?
CorrectD: No, OAuth 2.0 can use any token format, including opaque, randomized string tokens
OAuth 2.0 is token-format agnostic. Access tokens can be JWTs, opaque strings, or any other format. The choice depends on the implementation and security requirements.
IncorrectD: No, OAuth 2.0 can use any token format, including opaque, randomized string tokens
OAuth 2.0 is token-format agnostic. Access tokens can be JWTs, opaque strings, or any other format. The choice depends on the implementation and security requirements.
16What does it mean when an API utilizes a "Bearer Token"?
CorrectA: Any party in possession of the token (the "bearer") can use it to access authorized resources
A Bearer Token follows the Bearer authentication scheme where the token itself represents the authorization. Whoever possesses the token can use it. This is why secure transmission (HTTPS) and proper storage are crucial.
IncorrectA: Any party in possession of the token (the "bearer") can use it to access authorized resources
A Bearer Token follows the Bearer authentication scheme where the token itself represents the authorization. Whoever possesses the token can use it. This is why secure transmission (HTTPS) and proper storage are crucial.
17Which protocol is commonly layered directly on top of OAuth 2.0 to provide standardized user authentication and identity verification?
CorrectB: OpenID Connect (OIDC)
OpenID Connect (OIDC) is built on top of OAuth 2.0 and adds an identity layer. It provides standardized user authentication and returns an ID Token containing user identity information, whereas OAuth 2.0 alone only provides authorization.
IncorrectB: OpenID Connect (OIDC)
OpenID Connect (OIDC) is built on top of OAuth 2.0 and adds an identity layer. It provides standardized user authentication and returns an ID Token containing user identity information, whereas OAuth 2.0 alone only provides authorization.
18What does the "Resource Owner" represent in an enterprise OAuth 2.0 architecture?
CorrectC: The user or entity capable of granting access to a protected resource
The Resource Owner is the user or entity that owns the protected resources. In OAuth 2.0, the Resource Owner grants permission to the Client application to access their resources.
IncorrectC: The user or entity capable of granting access to a protected resource
The Resource Owner is the user or entity that owns the protected resources. In OAuth 2.0, the Resource Owner grants permission to the Client application to access their resources.
19Why are JWTs frequently described as "stateless" in modern web development?
CorrectD: Because they contain all necessary information to verify the user locally, removing the need for a server-side session database
JWTs are stateless because they contain all necessary information (claims) for verification. The server doesn't need to maintain session state or query a database for every request. The signature can be verified locally and instantly.
IncorrectD: Because they contain all necessary information to verify the user locally, removing the need for a server-side session database
JWTs are stateless because they contain all necessary information (claims) for verification. The server doesn't need to maintain session state or query a database for every request. The signature can be verified locally and instantly.
20What encoding mechanism is used to format the header and payload strings of a standard JWT?
CorrectA: Base64Url
JWTs use Base64Url encoding (a variant of Base64 that is URL-safe by replacing "+" with "-" and "/" with "_") for the header and payload sections. This ensures compatibility with URLs and HTTP headers.
IncorrectA: Base64Url
JWTs use Base64Url encoding (a variant of Base64 that is URL-safe by replacing "+" with "-" and "/" with "_") for the header and payload sections. This ensures compatibility with URLs and HTTP headers.
OAuth 2.0 vs JWT β Concepts
1In a JWT payload, what does the registered claim `exp` strictly define?
CorrectB: The expiration time after which the token must not be accepted for processing
The "exp" (expiration time) claim specifies when the JWT becomes invalid. It is represented as a UNIX timestamp (seconds since epoch). The server must reject tokens where the current time exceeds the exp value.
IncorrectB: The expiration time after which the token must not be accepted for processing
The "exp" (expiration time) claim specifies when the JWT becomes invalid. It is represented as a UNIX timestamp (seconds since epoch). The server must reject tokens where the current time exceeds the exp value.
2Which OAuth 2.0 grant type is considered the most secure and is universally recommended for traditional server-side web applications?
CorrectA: Authorization Code Grant
The Authorization Code Grant is the most secure for server-side web applications. It involves a secure backend channel for exchanging authorization codes for tokens, keeping sensitive information (like client secrets) protected.
IncorrectA: Authorization Code Grant
The Authorization Code Grant is the most secure for server-side web applications. It involves a secure backend channel for exchanging authorization codes for tokens, keeping sensitive information (like client secrets) protected.
3How does a Resource Server typically validate an "opaque" access token compared to a JWT access token?
CorrectD: It must make a network request back to the Authorization Server (e.g., an introspection endpoint) to validate the token
Opaque tokens are random strings with no internal structure. To validate them, the Resource Server must contact the Authorization Server's introspection endpoint. JWTs, however, can be validated locally by verifying the signature.
IncorrectD: It must make a network request back to the Authorization Server (e.g., an introspection endpoint) to validate the token
Opaque tokens are random strings with no internal structure. To validate them, the Resource Server must contact the Authorization Server's introspection endpoint. JWTs, however, can be validated locally by verifying the signature.
4In the standard JWT specification, what does the `sub` claim represent?
CorrectC: The subject of the token, typically the unique identifier for the user
The "sub" (subject) claim identifies the principal entity the token is about, typically the user ID or unique identifier. It is one of the most important registered claims in OAuth/OIDC flows.
IncorrectC: The subject of the token, typically the unique identifier for the user
The "sub" (subject) claim identifies the principal entity the token is about, typically the user ID or unique identifier. It is one of the most important registered claims in OAuth/OIDC flows.
5Which OAuth 2.0 flow involves the client application collecting the user's username and password to send directly to the authorization server?
CorrectA: Resource Owner Password Credentials Grant
The Resource Owner Password Credentials Grant allows the client to directly collect and submit the user's credentials. This flow is discouraged for third-party applications but may be acceptable for first-party apps.
IncorrectA: Resource Owner Password Credentials Grant
The Resource Owner Password Credentials Grant allows the client to directly collect and submit the user's credentials. This flow is discouraged for third-party applications but may be acceptable for first-party apps.
6Why is the OAuth 2.0 "Implicit Grant" flow currently considered deprecated and heavily discouraged for modern Single-Page Applications (SPAs)?
CorrectB: It exposes the access token directly in the URL fragment, making it highly vulnerable to interception
The Implicit Grant returns the access token in the URL fragment, exposing it to browsers, JavaScript, and potentially intermediaries. OAuth 2.1 has removed this flow entirely in favor of the Authorization Code with PKCE.
IncorrectB: It exposes the access token directly in the URL fragment, making it highly vulnerable to interception
The Implicit Grant returns the access token in the URL fragment, exposing it to browsers, JavaScript, and potentially intermediaries. OAuth 2.1 has removed this flow entirely in favor of the Authorization Code with PKCE.
7In a JWT payload, what is the explicit purpose of the `iss` claim?
CorrectD: It identifies the principal entity that issued the token
The "iss" (issuer) claim identifies who created and signed the token. Typically this is the Authorization Server URL (e.g., "https://auth.example.com"). Clients verify the iss claim matches the expected issuer.
IncorrectD: It identifies the principal entity that issued the token
The "iss" (issuer) claim identifies who created and signed the token. Typically this is the Authorization Server URL (e.g., "https://auth.example.com"). Clients verify the iss claim matches the expected issuer.
8Which OAuth 2.0 flow is specifically designed for backend machine-to-machine (M2M) communication where no human user is involved?
CorrectC: Client Credentials Grant
The Client Credentials Grant allows a service to authenticate directly without a user context. It is ideal for server-to-server API calls and backend services that need programmatic access.
IncorrectC: Client Credentials Grant
The Client Credentials Grant allows a service to authenticate directly without a user context. It is ideal for server-to-server API calls and backend services that need programmatic access.
9If an attacker intercepts a valid JWT access token, what prevents them from successfully modifying the `role` claim from "user" to "admin"?
CorrectA: Changing the payload invalidates the cryptographic signature, causing the server to reject the tampered token
Modifying the payload changes the hash, which invalidates the signature. Without the secret key, an attacker cannot produce a valid signature for the modified payload. This is the core security mechanism of JWTs.
IncorrectA: Changing the payload invalidates the cryptographic signature, causing the server to reject the tampered token
Modifying the payload changes the hash, which invalidates the signature. Without the secret key, an attacker cannot produce a valid signature for the modified payload. This is the core security mechanism of JWTs.
10What is the fundamental role of the "Authorization Code" in the Authorization Code Grant flow?
CorrectB: It is a temporary, short-lived credential exchanged securely by the backend client for the actual access and refresh tokens
The Authorization Code is a temporary code (typically valid for 10 minutes) returned to the client after user authentication. The client exchanges this code for access and refresh tokens via a secure backend channel.
IncorrectB: It is a temporary, short-lived credential exchanged securely by the backend client for the actual access and refresh tokens
The Authorization Code is a temporary code (typically valid for 10 minutes) returned to the client after user authentication. The client exchanges this code for access and refresh tokens via a secure backend channel.
11In OpenID Connect (which is layered on top of OAuth 2.0), what specific token is introduced to explicitly provide identity information about the authenticated user?
CorrectD: The ID Token
The ID Token is an OIDC-specific token (usually a JWT) that contains identity information about the authenticated user, including claims like "sub" (user ID), "name", "email", etc. OAuth 2.0 alone does not provide this.
IncorrectD: The ID Token
The ID Token is an OIDC-specific token (usually a JWT) that contains identity information about the authenticated user, including claims like "sub" (user ID), "name", "email", etc. OAuth 2.0 alone does not provide this.
12What is a primary, recognized architectural disadvantage of relying entirely on stateless JWTs for session management?
CorrectC: They are notoriously difficult to instantly revoke before their expiration time (e.g., if a user clicks "log out")
Since JWTs are self-contained and stateless, a server cannot instantly invalidate them. If a user logs out or their permissions change, the token remains valid until expiration. A token blocklist/denylist is required for immediate revocation.
IncorrectC: They are notoriously difficult to instantly revoke before their expiration time (e.g., if a user clicks "log out")
Since JWTs are self-contained and stateless, a server cannot instantly invalidate them. If a user logs out or their permissions change, the token remains valid until expiration. A token blocklist/denylist is required for immediate revocation.
13In OAuth 2.0, what is the crucial security purpose of the `state` parameter during the initial authorization request?
CorrectB: To mitigate Cross-Site Request Forgery (CSRF) attacks by maintaining state between the request and callback
The state parameter is a random, opaque value that the client sends in the authorization request and receives back in the redirect. Comparing these values prevents CSRF attacks by ensuring the callback is for the same request.
IncorrectB: To mitigate Cross-Site Request Forgery (CSRF) attacks by maintaining state between the request and callback
The state parameter is a random, opaque value that the client sends in the authorization request and receives back in the redirect. Comparing these values prevents CSRF attacks by ensuring the callback is for the same request.
14When a Resource Server receives a JWT signed with an asymmetric algorithm (like RS256), what exactly does it use to verify the signature?
CorrectA: The Authorization Server's Public Key
Asymmetric algorithms like RS256 use public/private key pairs. The Authorization Server signs with its private key; the Resource Server verifies using the public key (fetched from the JWKS endpoint). The public key can be safely distributed.
IncorrectA: The Authorization Server's Public Key
Asymmetric algorithms like RS256 use public/private key pairs. The Authorization Server signs with its private key; the Resource Server verifies using the public key (fetched from the JWKS endpoint). The public key can be safely distributed.
15What does the registered claim `aud` specify when included in a JWT?
CorrectD: The intended audience (the recipients or APIs) that the token is specifically meant for
The "aud" (audience) claim specifies which service(s) the token is intended for. For example, "https://api.example.com" or ["service-a", "service-b"]. Servers should verify they are in the aud list before accepting the token.
IncorrectD: The intended audience (the recipients or APIs) that the token is specifically meant for
The "aud" (audience) claim specifies which service(s) the token is intended for. For example, "https://api.example.com" or ["service-a", "service-b"]. Servers should verify they are in the aud list before accepting the token.
16In the context of OAuth 2.0 architectures, what does an "Introspection Endpoint" actually do?
CorrectC: It allows a resource server to query the authorization server to determine the active state and metadata of a specific opaque token
The introspection endpoint is defined in RFC 7662. It allows a Resource Server to validate opaque tokens by querying the Authorization Server with the token string and receiving metadata (scope, expiration, user ID, etc.).
IncorrectC: It allows a resource server to query the authorization server to determine the active state and metadata of a specific opaque token
The introspection endpoint is defined in RFC 7662. It allows a Resource Server to validate opaque tokens by querying the Authorization Server with the token string and receiving metadata (scope, expiration, user ID, etc.).
17How should a client application securely transmit a JWT access token to a Resource Server in a standard HTTP request?
CorrectD: In the `Authorization` header using the `Bearer` schema
The standard method is the Authorization header with Bearer schema: "Authorization: Bearer <token>". This avoids exposing the token in URLs or cookies where it might be logged or cached.
IncorrectD: In the `Authorization` header using the `Bearer` schema
The standard method is the Authorization header with Bearer schema: "Authorization: Bearer <token>". This avoids exposing the token in URLs or cookies where it might be logged or cached.
18What is the fundamental cryptographic difference between the HS256 and RS256 algorithms used for signing JWTs?
CorrectA: HS256 is a symmetric algorithm using a single shared secret; RS256 is an asymmetric algorithm using a public/private key pair
HS256 (HMAC-SHA256) uses a single shared secret that both parties possess. RS256 (RSA-SHA256) uses asymmetric encryption with a private key for signing and a public key for verification. RS256 is more suitable for multiple Resource Servers.
IncorrectA: HS256 is a symmetric algorithm using a single shared secret; RS256 is an asymmetric algorithm using a public/private key pair
HS256 (HMAC-SHA256) uses a single shared secret that both parties possess. RS256 (RSA-SHA256) uses asymmetric encryption with a private key for signing and a public key for verification. RS256 is more suitable for multiple Resource Servers.
19In the OAuth 2.0 Device Authorization Grant (Device Flow), how does the user actually authenticate?
CorrectB: By reading a user code on the restricted device, navigating to a URL on a secondary device (like a smartphone), and authorizing the request there
The Device Flow is designed for IoT and smart TV devices with limited user input. The device displays a code; the user visits a URL on their phone or computer to authorize. This solves the problem of inputting credentials on devices without keyboards.
IncorrectB: By reading a user code on the restricted device, navigating to a URL on a secondary device (like a smartphone), and authorizing the request there
The Device Flow is designed for IoT and smart TV devices with limited user input. The device displays a code; the user visits a URL on their phone or computer to authorize. This solves the problem of inputting credentials on devices without keyboards.
20What is a "Refresh Token Rotation" policy primarily designed to prevent in a secure web ecosystem?
CorrectC: The critical risk of a compromised refresh token being used indefinitely by a malicious attacker
Refresh Token Rotation issues a new refresh token with each token refresh and invalidates the old one. This limits the window of vulnerability if a refresh token is stolen. Combined with proper storage (HttpOnly cookies), it significantly reduces attack surface.
IncorrectC: The critical risk of a compromised refresh token being used indefinitely by a malicious attacker
Refresh Token Rotation issues a new refresh token with each token refresh and invalidates the old one. This limits the window of vulnerability if a refresh token is stolen. Combined with proper storage (HttpOnly cookies), it significantly reduces attack surface.
OAuth 2.0 vs JWT β Advanced
1What is the explicit architectural purpose of Proof Key for Code Exchange (PKCE) in the OAuth 2.0 Authorization Code flow?
CorrectC: To mitigate authorization code interception attacks, particularly for public clients (like SPAs and mobile apps) that cannot safely store a client secret
PKCE (RFC 7636) was designed to protect public clients that cannot securely store a client secret. It uses a code_verifier and code_challenge to prevent authorization code interception attacks.
IncorrectC: To mitigate authorization code interception attacks, particularly for public clients (like SPAs and mobile apps) that cannot safely store a client secret
PKCE (RFC 7636) was designed to protect public clients that cannot securely store a client secret. It uses a code_verifier and code_challenge to prevent authorization code interception attacks.
2How does PKCE mathematically secure the Authorization Code flow against interception?
CorrectB: The client creates a dynamic `code_verifier` and sends its hashed `code_challenge` in the initial request, then proves possession by sending the raw verifier when exchanging the code for a token
PKCE uses: (1) S256: code_challenge = BASE64URL(SHA256(code_verifier)), (2) The client sends code_challenge in the auth request, (3) Later exchanges the code with the raw code_verifier, (4) Server verifies the math matches. Even if code is intercepted, attacker lacks the verifier.
IncorrectB: The client creates a dynamic `code_verifier` and sends its hashed `code_challenge` in the initial request, then proves possession by sending the raw verifier when exchanging the code for a token
PKCE uses: (1) S256: code_challenge = BASE64URL(SHA256(code_verifier)), (2) The client sends code_challenge in the auth request, (3) Later exchanges the code with the raw code_verifier, (4) Server verifies the math matches. Even if code is intercepted, attacker lacks the verifier.
3What is a JSON Web Key Set (JWKS)?
CorrectA: A JSON data structure that represents a set of public keys, used by resource servers to fetch the keys needed to verify JWT signatures dynamically
A JWKS is a JSON document containing multiple JWK (JSON Web Key) objects representing public keys. Resource Servers fetch the JWKS endpoint (e.g., "https://auth.example.com/.well-known/jwks.json") to dynamically retrieve keys for signature verification.
IncorrectA: A JSON data structure that represents a set of public keys, used by resource servers to fetch the keys needed to verify JWT signatures dynamically
A JWKS is a JSON document containing multiple JWK (JSON Web Key) objects representing public keys. Resource Servers fetch the JWKS endpoint (e.g., "https://auth.example.com/.well-known/jwks.json") to dynamically retrieve keys for signature verification.
4What severe vulnerability is introduced if a JWT validation library fails to properly handle the `alg: "none"` header?
CorrectD: An attacker can strip the signature from the token, set the algorithm to "none", and the server will accept the tampered token as perfectly valid
The "alg: none" vulnerability allows attackers to create unsigned tokens. Vulnerable libraries might skip signature verification entirely. Proper implementations must reject "none" and whitelist allowed algorithms.
IncorrectD: An attacker can strip the signature from the token, set the algorithm to "none", and the server will accept the tampered token as perfectly valid
The "alg: none" vulnerability allows attackers to create unsigned tokens. Vulnerable libraries might skip signature verification entirely. Proper implementations must reject "none" and whitelist allowed algorithms.
5In advanced JWT security implementations, what is the practical purpose of the `jti` (JWT ID) claim?
CorrectC: To provide a unique identifier for the token, which can be utilized alongside a blocklist to detect and prevent replay attacks
The "jti" (JWT ID) claim provides a unique identifier for each token instance. It enables token blocklisting (storing jti values of revoked tokens) to prevent token replay attacks and enable instant revocation.
IncorrectC: To provide a unique identifier for the token, which can be utilized alongside a blocklist to detect and prevent replay attacks
The "jti" (JWT ID) claim provides a unique identifier for each token instance. It enables token blocklisting (storing jti values of revoked tokens) to prevent token replay attacks and enable instant revocation.
6When storing a JWT in a browser-based Single Page Application (SPA), why is utilizing LocalStorage often considered a critical security risk?
CorrectB: Any malicious JavaScript executed on the page (via XSS) can easily read and steal the token from LocalStorage
LocalStorage is accessible to any JavaScript running on the page, including malicious scripts injected via XSS. If an attacker can inject JavaScript, they can steal tokens from LocalStorage. Secure alternatives include HttpOnly, Secure cookies.
IncorrectB: Any malicious JavaScript executed on the page (via XSS) can easily read and steal the token from LocalStorage
LocalStorage is accessible to any JavaScript running on the page, including malicious scripts injected via XSS. If an attacker can inject JavaScript, they can steal tokens from LocalStorage. Secure alternatives include HttpOnly, Secure cookies.
7To mitigate XSS risks in a web application, an architect decides to store the JWT access token inside an `HttpOnly` cookie. What new vulnerability must they now strictly defend against?
CorrectD: Cross-Site Request Forgery (CSRF)
HttpOnly cookies are automatically sent by the browser with every request. If an attacker can craft a request from the user's browser (via a malicious website), the cookie is sent automatically. CSRF tokens or SameSite flags mitigate this.
IncorrectD: Cross-Site Request Forgery (CSRF)
HttpOnly cookies are automatically sent by the browser with every request. If an attacker can craft a request from the user's browser (via a malicious website), the cookie is sent automatically. CSRF tokens or SameSite flags mitigate this.
8What is "Token Binding" (e.g., DPoP - Demonstrating Proof-of-Possession) in the advanced context of OAuth 2.0?
CorrectA: A mechanism that cryptographically binds an access token to a specific client instance's private key, preventing an attacker from using a stolen token on a different machine
DPoP (RFC 9449) requires clients to prove possession of a private key when using the token. Even if an attacker steals the token, they cannot use it without the private key. This provides protection against token theft.
IncorrectA: A mechanism that cryptographically binds an access token to a specific client instance's private key, preventing an attacker from using a stolen token on a different machine
DPoP (RFC 9449) requires clients to prove possession of a private key when using the token. Even if an attacker steals the token, they cannot use it without the private key. This provides protection against token theft.
9In a microservices architecture using JWTs, what is the primary architectural trade-off of maintaining a token blocklist (denylist) to enable immediate revocation?
CorrectD: It fundamentally breaks the "stateless" advantage of JWTs, forcing microservices to query a shared database or cache to validate every token
Token blocklists require storing revoked token identifiers and checking every incoming token against them. This reintroduces server-side state, adding latency and complexity. Redis or similar fast caches are used to minimize performance impact.
IncorrectD: It fundamentally breaks the "stateless" advantage of JWTs, forcing microservices to query a shared database or cache to validate every token
Token blocklists require storing revoked token identifiers and checking every incoming token against them. This reintroduces server-side state, adding latency and complexity. Redis or similar fast caches are used to minimize performance impact.
10What is JWE (JSON Web Encryption), and how does it fundamentally differ from a standard JWS (JSON Web Signature)?
CorrectC: JWE provides confidentiality by encrypting the payload content so it cannot be read by third parties, whereas JWS only provides integrity and authenticity via a signature
JWS signs the payload (integrity + authenticity). JWE encrypts it (confidentiality). JWTs are JWS by default. To achieve full confidentiality, JWE must be used, creating an encrypted, signed token.
IncorrectC: JWE provides confidentiality by encrypting the payload content so it cannot be read by third parties, whereas JWS only provides integrity and authenticity via a signature
JWS signs the payload (integrity + authenticity). JWE encrypts it (confidentiality). JWTs are JWS by default. To achieve full confidentiality, JWE must be used, creating an encrypted, signed token.
11According to the evolving OAuth 2.1 draft framework, which traditional grant type is officially removed from the specification due to inherent security flaws?
CorrectA: Implicit Grant
OAuth 2.1 removes the Implicit Grant entirely, citing its vulnerability to token exposure in URL fragments. PKCE with Authorization Code flow is the recommended replacement for SPAs and native apps.
IncorrectA: Implicit Grant
OAuth 2.1 removes the Implicit Grant entirely, citing its vulnerability to token exposure in URL fragments. PKCE with Authorization Code flow is the recommended replacement for SPAs and native apps.
12What is the `kid` (Key ID) header parameter utilized for in a signed JWT?
CorrectB: It is a hint indicating which specific key (from a fetched JWKS endpoint) the server should use to verify the signature
The "kid" (Key ID) parameter in the JWT Header points to a specific key in the JWKS. When multiple keys are available (for rotation), the kid tells the server which public key to use for verification.
IncorrectB: It is a hint indicating which specific key (from a fetched JWKS endpoint) the server should use to verify the signature
The "kid" (Key ID) parameter in the JWT Header points to a specific key in the JWKS. When multiple keys are available (for rotation), the kid tells the server which public key to use for verification.
13When implementing OpenID Connect, what is the `nonce` parameter passed in the authorization request primarily used to prevent?
CorrectD: Token replay attacks against the client application
The nonce is a random value the client sends in the authorization request and expects to receive back in the ID Token. Mismatches indicate a replay or confusion attack. It prevents token replay against the client.
IncorrectD: Token replay attacks against the client application
The nonce is a random value the client sends in the authorization request and expects to receive back in the ID Token. Mismatches indicate a replay or confusion attack. It prevents token replay against the client.
14In an OAuth 2.0 flow involving a backend Confidential Client, why is the `client_secret` considered secure?
CorrectC: Because it resides entirely on the secure backend server and is never exposed to the user's browser or the resource owner
The client_secret is a credential known only to the Authorization Server and the backend Client. It never leaves the backend server, making it safe to use for authentication (unlike public clients like SPAs).
IncorrectC: Because it resides entirely on the secure backend server and is never exposed to the user's browser or the resource owner
The client_secret is a credential known only to the Authorization Server and the backend Client. It never leaves the backend server, making it safe to use for authentication (unlike public clients like SPAs).
15How does the "Phantom Token" pattern secure frontend applications working within an OAuth 2.0 ecosystem?
CorrectA: By utilizing an API Gateway to accept an opaque token from the frontend and exchange it internally for a JWT before passing the request to backend microservices
The Phantom Token pattern gives the frontend an opaque token (protecting it from XSS), while the backend API Gateway introspects it and retrieves the JWT. This provides both frontend protection and backend efficiency.
IncorrectA: By utilizing an API Gateway to accept an opaque token from the frontend and exchange it internally for a JWT before passing the request to backend microservices
The Phantom Token pattern gives the frontend an opaque token (protecting it from XSS), while the backend API Gateway introspects it and retrieves the JWT. This provides both frontend protection and backend efficiency.
16In OAuth 2.0, what does the "Consent Screen" or "Authorization Prompt" practically achieve?
CorrectB: It allows the Resource Owner to review and explicitly grant or deny the specific scopes requested by the Client application
The consent screen presents the requested scopes to the user, ensuring transparency and explicit authorization. Users can grant or deny specific scopes before issuing tokens. This is fundamental to delegated authorization.
IncorrectB: It allows the Resource Owner to review and explicitly grant or deny the specific scopes requested by the Client application
The consent screen presents the requested scopes to the user, ensuring transparency and explicit authorization. Users can grant or deny specific scopes before issuing tokens. This is fundamental to delegated authorization.
17What is the primary operational risk if an organization uses a single symmetric key (HS256) to sign JWTs across a sprawling microservice architecture?
CorrectC: Every microservice must possess the shared secret key to validate the token; if any single microservice is compromised, the attacker can forge valid tokens for the entire system
With HS256, every service needs the secret to validate tokens. If any service is compromised, attackers can forge tokens trusted by all services. Asymmetric algorithms (RS256) distribute only the public key, limiting damage.
IncorrectC: Every microservice must possess the shared secret key to validate the token; if any single microservice is compromised, the attacker can forge valid tokens for the entire system
With HS256, every service needs the secret to validate tokens. If any service is compromised, attackers can forge tokens trusted by all services. Asymmetric algorithms (RS256) distribute only the public key, limiting damage.
18What is the precise function of the `nbf` (Not Before) claim when included in a JWT?
CorrectD: It identifies the time before which the JWT must NOT be accepted for processing by the resource server
The "nbf" (Not Before) claim specifies a UNIX timestamp. The server must reject tokens where the current time is before this value. This prevents tokens from being used before their intended activation time.
IncorrectD: It identifies the time before which the JWT must NOT be accepted for processing by the resource server
The "nbf" (Not Before) claim specifies a UNIX timestamp. The server must reject tokens where the current time is before this value. This prevents tokens from being used before their intended activation time.
19In the context of OAuth 2.0 and API Gateways, what is meant by "Scope Downgrading"?
CorrectA: A scenario where an Authorization Server issues an access token with fewer permissions than the client originally requested, often based on the user's consent choices
Scope downgrading occurs when users deny some requested scopes during consent. The Authorization Server issues a token with only the approved scopes. Clients must handle this gracefully.
IncorrectA: A scenario where an Authorization Server issues an access token with fewer permissions than the client originally requested, often based on the user's consent choices
Scope downgrading occurs when users deny some requested scopes during consent. The Authorization Server issues a token with only the approved scopes. Clients must handle this gracefully.
20Which vulnerability occurs when an attacker confuses an OAuth client into linking the attacker's authorization code to the victim's active session?
CorrectB: OAuth CSRF (Login CSRF)
Login CSRF (also called "Cross-Site Request Forgery") happens when an attacker tricks a user into authorizing access with the attacker's account. The user ends up logged into the attacker's account. The "state" parameter prevents this.
IncorrectB: OAuth CSRF (Login CSRF)
Login CSRF (also called "Cross-Site Request Forgery") happens when an attacker tricks a user into authorizing access with the attacker's account. The user ends up logged into the attacker's account. The "state" parameter prevents this.
Conclusion: Authorization & Authentication Mastery
OAuth 2.0 and JWT are complementary technologies that form the backbone of modern web security. OAuth 2.0 provides the *framework* for delegated authorization across applications and services. JWTs provide a *self-contained token format* that can represent claims reliably and securely. Understanding bothβand their proper implementationβis essential for architects, developers, and security professionals.
Key architectural considerations: Choose appropriate grant types based on your client type (web app, SPA, native mobile, backend service). Implement PKCE for all public clients. Use short-lived access tokens with refresh token rotation. Validate signatures strictly. Protect tokens from XSS and CSRF. Understand the trade-offs between stateless JWTs and token blocklists for revocation.
These 60 MCQs represent the foundational knowledge required to design secure authentication and authorization systems for cloud-native architectures, microservices, and modern APIs. Master these concepts, and you\'ll architect systems that are both secure and efficient. Good luck on your security journey! π
π KEY TAKEAWAYS β OAUTH 2.0 VS JWT
- OAuth 2.0 β authorization *framework* defining how applications grant delegated access; JWT β specific token *format* representing claims. Complementary, not competing technologies.
- JWT Structure β header.payload.signature (3 parts). Header specifies algorithm, payload contains claims, signature provides integrity (NOT confidentiality by default).
- Authorization Code Grant β most secure for server-side web apps; Authorization Code + PKCE β required for SPAs and native mobile; Client Credentials β machine-to-machine.
- Refresh Tokens β long-lived credentials obtaining new short-lived access tokens. Refresh Token Rotation issues new tokens and invalidates old ones, limiting compromise exposure.
- Stateless JWTs β contain all information for local verification, eliminating server-side session databases. However, instant revocation requires maintaining a token blocklist/denylist.
- PKCE β Proof Key for Code Exchange protects public clients using dynamic code_verifier and code_challenge values. OAuth 2.1 requires PKCE for all public clients.
- Asymmetric Algorithms β RS256, ES256 preferred for microservices; public key safely distributed. Symmetric β HS256 requires sharing secret with every service, increasing compromise risk.
- Registered Claims β exp (expiration), sub (subject), aud (audience), iss (issuer), jti (JWT ID). Standardized and should be included for robust security and interoperability.
- Token Storage β HttpOnly, Secure cookies safer than LocalStorage (XSS vulnerable). Alternatively, use Phantom Token pattern with API Gateway to keep opaque tokens in frontend.
- Signature Validation β Always validate using correct algorithm indicated in JWT header. Libraries must reject unsupported algorithms (like "alg: none") to prevent trivial bypasses.
Quick Review & Summary
Use this table to understand OAuth 2.0 and JWT concepts before or after attempting the questions above.
| Aspect | OAuth 2.0 | JWT |
|---|---|---|
| Type | Authorization framework/protocol | Token format (data structure) |
| Purpose | Enable delegated access control | Represent claims securely |
| Structure | Flows/grant types, roles, endpoints | Header.Payload.Signature (3 parts) |
| Token Format | Flexible (opaque, JWT, SAML, etc.) | Self-contained, JSON-based |
| Revocation | Managed by Authorization Server | Difficult (requires blocklist) |
| Encryption | Not specified (vary by implementation) | Signed by default; JWE for confidentiality |
| Server-Side State | Required (sessions, grants, codes) | Optional (can be stateless) |
| Best For | Multi-party authorization, third-party access | Stateless APIs, microservices, edge computing |
Frequently Asked Questions
Q. What is the primary difference between OAuth 2.0 and JWT?
Q. Can I use OAuth 2.0 without JWTs?
Q. Are JWTs secure?
Q. What is PKCE and why is it important?
Q. How do I revoke a JWT before its expiration time?
Q. What is the difference between access tokens and refresh tokens?
Q. Which OAuth 2.0 grant type is best for my use case?
Q. What is the "state" parameter in OAuth 2.0?
Q. Can I store a JWT in LocalStorage in a web app?
Q. What are JWT claims and why do they matter?
Struggling with some questions? Re-read the full Theory Guide: OAuth 2.0 & JWT