`kid` is an optional header claim which holds a key identifier, particularly useful when you have multiple keys to sign the tokens and you need to look up the right one to verify the signature.

Once a signed JWT is a JWS, consider the definition from the [RFC 7515][1]:

&gt; [**4.1.4.  &quot;kid&quot; (Key ID) Header Parameter**][2]
&gt; 
&gt;  The `kid` (key ID) Header Parameter is a hint indicating which key
&gt; was used to secure the JWS.  This parameter allows originators to
&gt; explicitly signal a change of key to recipients.  The structure of the
&gt; `kid` value is unspecified.  Its value MUST be a case-sensitive
&gt; string.  Use of this Header Parameter is OPTIONAL.
&gt; 
&gt;  When used with a JWK, the `kid` value is used to match a JWK `kid`
&gt; parameter value.


  [1]: https://www.rfc-editor.org/rfc/rfc7515
  [2]: https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4

The `kid` (key ID) claim is an optional header claim, used to specify the key for validating the signature.

It is described here: http://self-issued.info/docs/draft-jones-json-web-token-01.html#ReservedHeaderParameterName

I&#39;m trying to run Python&#39;s Scrapy in a Docker container based on [python:alpine][1]. It was working before, but now I&#39;d like to use Scrapy&#39;s [Image Pipeline][2] which requires me to install Pillow.

As a simplified example, I tried the following `Dockerfile`:

    FROM python:alpine
    RUN apk --update add libxml2-dev libxslt-dev libffi-dev gcc musl-dev libgcc openssl-dev curl
    RUN apk add libjpeg zlib tiff freetype lcms libwebp tcl openjpeg
    RUN pip install Pillow

However, when I try to build this I get an error which contains the following:

    Traceback (most recent call last):
      File &quot;/tmp/pip-build-ft5yzzuv/Pillow/setup.py&quot;, line 744, in &lt;module&gt;
        zip_safe=not debug_build(), )
      File &quot;/usr/local/lib/python3.6/distutils/core.py&quot;, line 148, in setup
        dist.run_commands()
      File &quot;/usr/local/lib/python3.6/distutils/dist.py&quot;, line 955, in run_commands
        self.run_command(cmd)
      File &quot;/usr/local/lib/python3.6/distutils/dist.py&quot;, line 974, in run_command
        cmd_obj.run()
      File &quot;/usr/local/lib/python3.6/site-packages/setuptools/command/install.py&quot;, line 61, in run
        return orig.install.run(self)
      File &quot;/usr/local/lib/python3.6/distutils/command/install.py&quot;, line 545, in run
        self.run_command(&#39;build&#39;)
      File &quot;/usr/local/lib/python3.6/distutils/cmd.py&quot;, line 313, in run_command
        self.distribution.run_command(command)
      File &quot;/usr/local/lib/python3.6/distutils/dist.py&quot;, line 974, in run_command
        cmd_obj.run()
      File &quot;/usr/local/lib/python3.6/distutils/command/build.py&quot;, line 135, in run
        self.run_command(cmd_name)
      File &quot;/usr/local/lib/python3.6/distutils/cmd.py&quot;, line 313, in run_command
        self.distribution.run_command(command)
      File &quot;/usr/local/lib/python3.6/distutils/dist.py&quot;, line 974, in run_command
        cmd_obj.run()
      File &quot;/usr/local/lib/python3.6/distutils/command/build_ext.py&quot;, line 339, in run
        self.build_extensions()
      File &quot;/tmp/pip-build-ft5yzzuv/Pillow/setup.py&quot;, line 545, in build_extensions
        raise RequiredDependencyException(f)
    __main__.RequiredDependencyException: jpeg
    
    During handling of the above exception, another exception occurred:
    
    Traceback (most recent call last):
      File &quot;&lt;string&gt;&quot;, line 1, in &lt;module&gt;
      File &quot;/tmp/pip-build-ft5yzzuv/Pillow/setup.py&quot;, line 756, in &lt;module&gt;
        raise RequiredDependencyException(msg)
    __main__.RequiredDependencyException:
    
    The headers or library files could not be found for jpeg,
    a required dependency when compiling Pillow from source.
    
    Please see the install instructions at:
       https://pillow.readthedocs.io/en/latest/installation.html

I went through the requirements on https://pillow.readthedocs.io/en/latest/installation.html and tried to find the corresponding packages for Alpine, although one I couldn&#39;t find was **libimagequant**, so this might be the &#39;culprit&#39;. Nonetheless, it the traceback and error message seem to be saying that `jpeg` is missing, whereas I have installed `openjpeg`. 

How can I modify the `Dockerfile` so that `pip install Pillow` runs?




  [1]: https://hub.docker.com/_/python/
  [2]: https://doc.scrapy.org/en/latest/topics/media-pipeline.html#using-the-images-pipeline

&quot;The headers or library files could not be found for jpeg&quot; installing Pillow on Alpine Linux

I&#39;ve just seen a weird behaviour of the `this` keyword in NodeJS environment. I&#39;m listing them with code. I&#39;ve run this codes with `NodeJS v6.x`, with a single `JavaScript` file.

While testing with one line of code as follows, whether with or without the `&#39;use strict&#39;` statement, this points to an empty object `{}`.

    console.log(this)

But, when I&#39;m running the statement within a self executing function like,

    (function(){
      console.log(this);
    }());

It&#39;s printing a really big object. Seems to me the Global execution context object created by `NodeJS` environment.

And while executing the above function with a `&#39;use strict&#39;` statement, expectedly it&#39;s printing `undefined`

    (function(){
      &#39;use strict&#39;;
    
      console.log(this);
    }());

But, while working with browser (I&#39;ve tested only with `Chrome`), the first three examples yield the `window` object and the last one gave `undefined` as expected.

The behaviour of the browser is quite understandable. But, in case of `NodeJS`, does it not create the execution context, until I&#39;m wrapping inside a function? 

So, most of the code in `NodeJS` runs with an empty **global** `object`?

What is the &#39;global&#39; object in NodeJS

I generated a JWT and there are some claims which I understand well, but there is a claim called `kid` in header. Does anyone know what it means?

I generated the token using auth0.com

What&#39;s the meaning of the &quot;kid&quot; claim in a JWT token?

<p>I generated a JWT and there are some claims which I understand well, but there is a claim called <code>kid</code> in header. Does anyone know what it means?</p>
<p>I generated the token using auth0.com</p>


I have one file request.js which contains wrapper for axios ajax request. I am calling request function from multiple react components and when one of the request fails I want to refresh the token and retry all the failed requests again. I can use intercepters, but I don&#39;t know how to implement it. Please help.

request.js

     var client = axios.create({
       baseURL: &#39;http://192.168.1.3:3000&#39;,
         headers: {
         appID: 8,
         version: &quot;1.1.0&quot;,
         empID: localStorage.getItem(&#39;empID&#39;),
         token: localStorage.getItem(&#39;accessToken&#39;)
        }
     });

     const request = function(options) {
         const onSuccess = function(response) {
             console.debug(&#39;Request Successful!&#39;, response);
             return response.data;
         } 
         const onError = function(error) {
             console.error(&#39;Request Failed:&#39;, error.config);
             if (error.response) {
                 console.error(&#39;Status:&#39;,  error.response.status);
                 console.error(&#39;Data:&#39;,    error.response.data);
                 console.error(&#39;Headers:&#39;, error.response.headers);
             } else {
                 console.error(&#39;Error Message:&#39;, error.message);
             }

             return Promise.reject(error.response || error.message);
         }

         return client(options)
             .then(onSuccess)
             .catch(onError);
             options
     }

     export default request;

How to handle 401 (Authentication Error) in axios and react?

I am considering to use JWT. In the [jwt.io example](https://jwt.io/) I am seeing the following information in the payload data:

    &quot;admin&quot;: true

Admin can be considered as a Role, hence my question. Is setting the role in the token payload a habitual/good practice? Given that roles can be dynamically modified, I&#39;m quite interrogative.

Is setting Roles in JWT a best practice?

I want to save/persist/preserve a cookie or localStorage token that is set by a **cy.request()**, so that I don&#39;t have to use a custom command to login on every test. This should work for tokens like **jwt** (json web tokens) that are stored in the client&#39;s localStorage. 



Preserve cookies / localStorage session across tests in Cypress

My SPA application uses the following architecture ([source](https://auth0.com/blog/refresh-tokens-what-are-they-and-when-to-use-them/)):

[![enter image description here][1]][1]

This assumes that my client application knows about the refresh token, because I need it to request a new access token if no user credentials (e.g. email/password) are present.

My question: **Where do I store the refresh token in my client-side application?** There are lots of questions/answers about this topic on SO, but regarding the refresh token the answer are not clear.

Access token and refresh token shouldn&#39;t be stored in the local/session storage, because they are not a place for any sensitive data. Hence I would store the **access token** in a `httpOnly` cookie (even though there is CSRF) and I need it for most of my requests to the Resource Server anyway.

**But what about the refresh token?** I cannot store it in a cookie, because (1) it would be send with every request to my Resource Server as well which makes it vulnerable to CSRF too and (2) it would send expose both access/refresh token with an identical attack vector.

There are three solutions I could think of:

___

1) Storing the refresh token in an in-memory JavaScript variable, which has two drawbacks: 

* a) It&#39;s vulnerable to XSS (but may be not as obvious as local/session storage
* b) It looses the &quot;session&quot; if a user closes the browser tab

Especially the latter drawback makes will turn out as a bad UX.

___

2) Storing the access token in session storage and sending it via a `Bearer access_token` authorization header to my resource server. Then I can use `httpOnly` cookies for the refresh token. This has one drawback that I can think of:

* a) The refresh token is exposed to CSRF with every request made to the Resource Server. 

___

3) Keep both tokens in `httpOnly` cookies which has the mentioned drawback that both tokens are exposed to the same attack vector.

___

Maybe there is another way or more than my mentioned drawbacks (please let me know), but in the end everything boils down to **where do I keep my refresh token on the client-side**? Is it `httpOnly` cookie or an in-memory JS variable? If it is the former, where do I put my access token then? 

Would be super happy to get any clues about how to do this the best way from people who are familiar with the topic.


  [1]: https://i.stack.imgur.com/BPJjA.png

Where to store the refresh token on the Client?

I was using a username password for pushing my code. It was working for several months, but suddenly I&#39;m not able to do it and am getting this error:

```
Username for &#39;https://github.com&#39;: shreyas-jadhav
Password for &#39;https://shreyas-jadhav@github.com&#39;:
remote: Password authentication is temporarily disabled as part of a brownout. Please use a personal access token instead.
remote: Please see https://github.blog/2020-07-30-token-authentication-requirements-for-api-and-git-operations/ for more information.
```

Please note that the link doesn&#39;t help. Even using the generated token doesn&#39;t help.

&gt; **Moderator Note:** This is [part of a planned and soon-to-be permanent service change by GitHub](https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/)



Password authentication is temporarily disabled as part of a brownout. Please use a personal access token instead

I&#39;m currently building a single page application using ReactJS.

I read that one of the reasons for not using `localStorage` is because of XSS vulnerabilities.

Since React escapes all user input, would it now be safe to use `localStorage`?

Is it safe to store a JWT in localStorage with ReactJS?

I dont want my token to get expire and shold be valid forever.

    var token = jwt.sign({email_id:&#39;123@gmail.com&#39;}, &quot;Stack&quot;, {
                           
                            expiresIn: &#39;24h&#39; // expires in 24 hours
                       
                             });
  In above code i have given for 24 hours..
I do not want my token to get expire.
What shall be done for this?

How to set jwt token expiry time to maximum in nodejs?

I&#39;ve been on quite an adventure to get JWT working on DotNet core 2.0 (now reaching final release today).  There is a *ton* of documentation, but all the sample code seems to be using deprecated APIs and coming in fresh to Core, It&#39;s positively dizzying to figure out how exactly it&#39;s supposed to be implemented. I tried using Jose, but app. UseJwtBearerAuthentication has been deprecated, and there is no documentation on what to do next.

Does anyone have an open source project that uses dotnet core 2.0 that can simply parse a JWT from the authorization header and allow me to authorize requests for a HS256 encoded JWT token?

The class below doesn&#39;t throw any exceptions, but no requests are authorized, and I get no indication _why_ they are unauthorized.  The responses are empty 401&#39;s, so to me that indicates there was no exception, but that the secret isn&#39;t matching.

One odd thing is that my tokens are encrypted with the HS256 algorithm, but I see no indicator to tell it to force it to use that algorithm anywhere.

Here is the class I have so far:

	using System;
	using System.Collections.Generic;
	using System.IO;
	using Microsoft.AspNetCore.Authentication;
	using Microsoft.AspNetCore.Authentication.JwtBearer;
	using Microsoft.AspNetCore.Builder;
	using Microsoft.AspNetCore.Hosting;
	using Microsoft.AspNetCore.Http;
	using Microsoft.Extensions.Configuration;
	using Microsoft.Extensions.DependencyInjection;
	using Microsoft.Net.Http.Headers;
	using Newtonsoft.Json.Linq;
	using Microsoft.IdentityModel.Tokens;
	using System.Text;

	namespace Site.Authorization
	{
		public static class SiteAuthorizationExtensions
		{
			public static IServiceCollection AddSiteAuthorization(this IServiceCollection services)
			{
				var signingKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(&quot;SECRET_KEY&quot;));

				var tokenValidationParameters = new TokenValidationParameters
				{
					// The signing key must match!
					ValidateIssuerSigningKey = true,
					ValidateAudience = false,
					ValidateIssuer = false,
					IssuerSigningKeys = new List&lt;SecurityKey&gt;{ signingKey },


					// Validate the token expiry
					ValidateLifetime = true,
				};

				services.AddAuthentication(options =&gt;
				{
					options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
					options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;


				})
				
				.AddJwtBearer(o =&gt;
				{
					o.IncludeErrorDetails = true;
					o.TokenValidationParameters  = tokenValidationParameters;
					o.Events = new JwtBearerEvents()
					{
						OnAuthenticationFailed = c =&gt;
						{
							c.NoResult();

							c.Response.StatusCode = 401;
							c.Response.ContentType = &quot;text/plain&quot;;

							return c.Response.WriteAsync(c.Exception.ToString());
						}

					};
				});

				return services;
			}
		}
	}

JWT on .NET Core 2.0

After a lot of struggling (and a lot of tuturials, guides, etc) I managed to setup a small .NET Core REST Web API with an Auth Controller issuing JWT tokens when stored username and password are valid.

The token stores the user id as sub claim.

I also managed to setup the Web API to validate those tokens when a method uses the Authorize annotation.

&lt;pre&gt; app.UseJwtBearerAuthentication(...)&lt;/pre&gt;

Now my question:
How do I read the user id (stored in the subject claim) in my controllers (in a Web API)?

It is basically this question ([How do I get current user in ASP .NET Core][1]) but I need an answer for a web api. And I do not have a UserManager. So I need to read the subject claim from somewhere.


  [1]: https://stackoverflow.com/questions/36641338/how-get-current-user-in-asp-net-core%20

How do I get current user in .NET Core Web API (from JWT Token)

I have an `api` that uses `jwt` for authencation. I am using this api for a `vuejs` app. I am trying to display an image in the app using 

    &lt;img src=&quot;my/api/link&quot; /&gt;

But the `api` expects `Authorization` header with `jwt token` in it.

Can I add headers to browser request like this(Answer to few questions here has made me believe it&#39;s not possible)? 

Is there any way around it(using js) or should i change the `api` itself? 

Content Type	Original Author	Original Content on Stackoverflow
Question	tylkonachwile	View Question on Stackoverflow
Solution 1 - Token	cassiomolin	View Answer on Stackoverflow
Solution 2 - Token	Lukas Kolletzki	View Answer on Stackoverflow

What's the meaning of the "kid" claim in a JWT token?

Token Problem Overview

Token Solutions

Solution 1 - Token

Solution 2 - Token

What is the 'global' object in NodeJS

"The headers or library files could not be found for jpeg" installing Pillow on Alpine Linux

Attributions