A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way of transmitting information between two parties. Information in the JWT is digitally-signed, so that it can be verified and trusted.
JWT Properties
JWT Use Cases
JWT contains three parts: Header, Payload, and Signature which are separated by a dot.
Header.Payload.Signature
Header
The JWT Header consists of 2 parts:
{
"typ" : "JWT",
"alg" : "HS256"
}
Header Algorithm Types:
alg Value
Digital Signature or MAC Algorithm
AlgoDescriptionHS256HMAC using SHA-256 hash algorithmHS384HMAC using SHA-384 hash algorithmHS512HMAC using SHA-512 hash algorithmRS256RSASSA using SHA-256 hash algorithmRS384RSASSA using SHA-384 hash algorithmRS512RSASSA using SHA-512 hash algorithmES256ECDSA using P-256 curve and SHA-256 hash algorithmES384ECDSA using P-384 curve and SHA-384 hash algorithmES512ECDSA using P-521 curve and SHA-512 hash algorithm
The Base64Url-encoded Header**,** which is first part of our JWT, looks like the following:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
The Payload, also known as the JWT claim, contains all of the information we want to transmit.
Different types of claims can be used to build the Payload:
CodeNameDescriptionississuerIdentifies the principal that issued the JWT.subsubjectIdentifies the principal that is the subject of the JWT.audaudienceIdentifies the recipients that the JWT is intended for.expExpiration timeIdentifies the expiration time on or after which the JWT MUST NOT be accepted for processing.nbfNot beforeIdentifies the time before which the JWT MUST NOT be accepted for processing.iatIssue atIdentifies the time at which the JWT was issued.jtiJWT idUnique identifier for the JWT, can be used to prevent the JWT from being replayed.
Example Payload:
{
"sub": "1234567890",
"name": "Frank Emic",
"jti": "4b5fcea6-2a5e-4a9d-97f2-3d8631ea2c5a",
"iat": 1521191902,
"exp": 1521195630
}
This example contains a combination of registered and public claims. “sub”,”jti”,”iat”, and “exp” are registered claims and “name” is a public claim.
#json #token #web