Table of contents
No headings in the article.
What is JWT?
JSON Web Token (JWT) is an open industry standard RFC (Request for Comment) 7519 method for representing claims between two parties that are securely transmitted as a JSON object. This transmitted information can be verified and trusted because it is digitally signed with a secret key. It is commonly used for authentication and authorization in web and mobile applications.
Why JWT Token
Users can be Authenticated using JWT Tokens which have been digitally signed with a secret key issued by the Issuer.
Instead of storing User Credentials on the Server that can be easily accessed by attackers on the internet. We use JWT, to maintain user secrets with different Algorithms.
Structure of JWT
A JWT is represented as a sequence of base64url encoded values that are separated by period characters ( . ).
JWT is typically composed of three parts which are separated by dots(.);
🤞 Header
🤞 Payload
🤞 Signature
🤞 Header
It is made up of two parts, which are the type of JWT and the algorithm of HMAC (Hashed-based Message Authentication Code), SHA256, or RSA. e.g.
{
“alg”: “HS256”,
“typ”: “JWT”
}
🤞 Payload
The payload contains claims about the entity (typically the user) as well as additional information to be transmitted in the token. There are multiple claims we can provide, these include registered claims, public claims, and private claims.
👉 Registered Claims: They are recommended claims that provide useful and interoperable claims about the user.
Below is an illustration of the registered claim;
{
“iss”: “https://accounts.facebook.com”,
“azp”: “1259740374210.apps.facebookusercontent.com”,
“aud”: “1259740374210.apps.facebookusercontent.com”,
“sub”: “1097391739459274842709122301”,
“at_hash”: “ATGE_K4Nm4I28nAovzUF7P”,
“email”: “Jdoe@example.com”,
“email_verified”: “true” “lat”: 9571037501,
“exp”: 9571032101,
“nonce”: “1026347-2130352-3149581”,
“hd”: “example.com”
}
The client application uses the above token to sign in with Facebook to verify the identity of the client.
Let's break down the above abbreviation into simpler words.
✔ iss(issuer): Identifies the principal that issued the JWT e.g Facebook.
✔ sub: Identifies the subject of the JWT
✔ at_hash(access token hash): Provides a hash of the access token, which can be used to prevent certain attacks.
✔ email: The email address of the user.
✔ email _verified: Indicates whether the user’s email address has been verified.
✔ iat(issued at): The time at which the JWT was issued.
✔ exp (expiration time): The time at which the JWT will expire.
✔nonce: A Unique value generated by the client to help prevent replay attacks.
✔ hd (hosted domain): It is an optional claim that indicates a hosted domain restriction for the token. It is used to restrict token usage to a specific domain or subdomain. It can be used to prevent token misuse when the token is intended for a specific domain or subdomain.
👉Public Claims: These are defined as the users of JWT.
👉 Private Claims: These are custom claims created to share data between parties that agree on using them and are neither registered nor public claims.
e.g.
{
“sub”: “1234567890”,
“name”: “John Doe”,
“admin”: true
}
🤞 Signature
The signature is created by signing the encoded header, encoded payload, and secret. The signature is used to verify if the message wasn’t changed and in the case of tokens signed with a private key, it verifies who the sender of JWT is who it says it is.
Advantages of Token-Based Authentication
👉JWT is digitally signed and safe from being altered by the client or attacker.
👉 It is stateless and easier to scale. It contains the required information to identify the user eliminating the need for the session state.
👉 JWT generated on the server side is stored on the client when the client submits a new request.
👉It is reusable and can run on multiple platforms and domains, reusing the same token to authenticate users.
In Conclusion, We looked at JWT's Structure, advantages, and Purpose as a digitally signed token that can authorize and authenticate Users on different platforms.