Monthly Archives: October 2019

Json Web Token (JWT) – Introduction

If you have worked in OAuth or OpenID or authorization part of security, you must have across a term called JSON Web Token – JWT (Pronounced as JOT).

In this post, I will explain its components and a few tips and tricks. In previous securing spring boot rest api post, I showed how to use JWT to secure a REST API.

JSON Web Token (JWT) is a JSON object defined in a way where participating parties agree with a certain norm. This object contains information that can identify a user or a participating party.

JWT is encrypted and signed, so it is used securely. Even if a third party gets access to JWT, that party will ever be able to decrypt it if it has a public key with which it was signed. Also usually JWT is valid for a limited time, so a hacker will not be able to use JWT if it has expired and the hacker was able to decrypt JWT.

There are a few use cases when you can use JWT.

  1. Single Sign-On – In some authorization scenarios, JWT is used to encrypt user information in a token for authentication purposes.
  2. JWT offers a lot of security, so it helps to exchange information between parties secretly.

 

Components

JSON Web Token consists of three parts – header, payload, and signature. Once you create a JWT using these three parts, you compact that JWT. So every JWT is in a compact form.

hhhhhh.pppppppp.ssssss

Header of JSON Web Token

Every Json Web Token contains header, payload and signature part. In header part, you will have two important elements – algorithm type as alg and key id as kid , but instead of these two elements, it can also contain alg and type to indicate what type of the token this is.

{
   "alg":"HS256",
   "kid": "NHAS42KWE49825JADTWWQRWR"
}

Payload

The payload is the part that contains actual data in JWT. Basically this data is in the form of claims. Claims are identifying information about the user or entity. But other than user information (sub), it also contains some important information at what time the token was issued – iat, who is the issuer – iss, what is the expiration time exp , what is the not before used time nbf .

Example of JWT payload will look like below:

{
  "sub": "betterjavacode\\userabc",
  "created": 1571755568798,
  "iss": "betterjavacode.com",
  "client_id": "randomclient",
  "nbf": 1571755569,
  "scope": "[Email]",
  "exp": 1571759169,
  "expires_in": "3600",
  "iat": 1571755569,
  "jti": "qqwrwe-wewewt-34343re-343gtrtr-323222"
}

Signature

Signature to sign JWT is created by Base64 URL encoding of header + Base64 URL encoding of body and a secret key and all this will be signed by using a signature algorithm of server choice, for this example it is HMACSHA256. The server which is creating JWT, will not share a secret key with anyone and will have its own policies to create that secret key. It can make the public key available to requested clients.

When to use JWT?

The usual use case for JWT is for authentication purposes since it can contain user data. Tokens are valid for a short duration, so they can’t be compromised. When the user accesses a protected resource, the user agent sends JWT in authorization header using Bearer schema. As a precaution, a token should not contain any secret information. In that case, even if a JWT is stolen, nobody can use JWT data for any other purposes.

JWT is a more compact version of token which was usually exchanged through Security Assertion Markup Language (SAML).

Conclusion

In this post, we discussed the details of JWT and when to use it.

References

  1. Specification of JSON Web Token – Specifications
  2. JSON Web Token – Open Id Specifications