Morioh
Login
Hollie Ratke

Hollie Ratke

3 years ago

A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way of transmitting information between two parties. Information in the JWT is digitally-signed, so that it can be verified and trusted.

JWT Properties

  • Less verbose - JWT is compact in size and can be passed in the URL, POST parameter, or HTTP header.
  • Self-contained - JWT carries all of information needed for exchanging information and authentication.
  • Versatile - JWT works in .NET, Python, Node.js, Java, PHP, Ruby, Go, JavaScript, and Haskell.

JWT Use Cases

  • Information Exchange - JWT can be used between two parties to exchange information. JWT is digitally-signed and can be used in a secure public/private key pair. Information is verified using the public key on the other end.
  • Authentication - JWT can contain user information in the payload and can be used in the session to authenticate the user. Once authenticated, users can access protected resources in an application using the JWT included in the request. So, every request will be authenticated by verifying the JWT.

JWT contains three parts: Header, Payload, and Signature which are separated by a dot.

Header.Payload.Signature

Header

The JWT Header consists of 2 parts:

  • The token type (typ): JWT
  • Algorithm used to sign the token (alg)
{  
 "typ" : "JWT",  
 "alg" : "HS256"  
}

Header Algorithm Types:

  • Symmetric Algorithms - This algorithm type uses a single secret key to both sign and verify the JWT token. For example: HMAC algorithms.
  • Asymmetric Algorithms - This algorithm type uses a private key to sign the token and a public key to verify the signature. For example: RSA and ECDSA algorithms.

alg Value

Digital Signature or MAC Algorithm

AlgoDescriptionHS256HMAC using SHA-256 hash algorithmHS384HMAC using SHA-384 hash algorithmHS512HMAC using SHA-512 hash algorithmRS256RSASSA using SHA-256 hash algorithmRS384RSASSA using SHA-384 hash algorithmRS512RSASSA using SHA-512 hash algorithmES256ECDSA using P-256 curve and SHA-256 hash algorithmES384ECDSA using P-384 curve and SHA-384 hash algorithmES512ECDSA using P-521 curve and SHA-512 hash algorithm

The Base64Url-encoded Header**,** which is first part of our JWT, looks like the following:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Payload

The Payload, also known as the JWT claim, contains all of the information we want to transmit.

Different types of claims can be used to build the Payload:

  • Registered Claim - These claims are optional but recommended as they contain some metadata about the token:

CodeNameDescriptionississuerIdentifies the principal that issued the JWT.subsubjectIdentifies the principal that is the subject of the JWT.audaudienceIdentifies the recipients that the JWT is intended for.expExpiration timeIdentifies the expiration time on or after which the JWT MUST NOT be accepted for processing.nbfNot beforeIdentifies the time before which the JWT MUST NOT be accepted for processing.iatIssue atIdentifies the time at which the JWT was issued.jtiJWT idUnique identifier for the JWT, can be used to prevent the JWT from being replayed.

  • Public Claim - These claims are defined by you, such as user name, and other important information.
  • Private Claim - A producer and consumer may agree to use claim names that are private. These are subject to collision, so use them with caution.

Example Payload:

{  
 "sub": "1234567890",  
 "name": "Frank Emic",  
 "jti": "4b5fcea6-2a5e-4a9d-97f2-3d8631ea2c5a",  
 "iat": 1521191902,  
 "exp": 1521195630  
}

This example contains a combination of registered and public claims. “sub”,”jti”,”iat”, and “exp” are registered claims and “name” is a public claim.

#json #token #web

What is JSON Web Token

loginradius.com

What is JSON Web Token

A JSON Web Token (JWT) is a JSON object that is defined in RFC 7519 as a safe way of transmitting information between two parties. Information in the JWT is…

1.30 GEEK