My previous blog posts covered topics like cookies and CSRF attacks. Today, I want to share what I've learned about JWTs --- a topic that came up during a job interview where I was asked about their security. Since it's quite a bit lengthy, this post will focus on the fundamentals of JWTs.
- What is JWT?
- How JWT Ensures Security
- Use Cases
- The Structure of JWT
- How JWT works
What is JWT?
JWT stands for JSON Web Token, an open standard (RFC 7519) for securely transmitting information between two parties, such as a client and a server. As the name implies, the data within a JWT is formatted as a JSON object.
JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
How JWT Ensures Security
To protect the transmitted JSON data, JWTs are cryptographically signed using:
- HMAC (Hash-based Message Authentication Code)
- RSA or ECDSA (Asymmetric cryptographic algorithms)
Encrypted tokens hide the data so only those with the decryption key can read it. In contrast, JWTs commonly use signed tokens, where the data inside the token (called "claims") is visible to anyone with the token. However, signing ensures the integrity of the token, confirming it hasn't been tampered with. When using a private/public key pair, the private key is used to sign the token, and the public key is used to verify its authenticity.
Use Cases
Authorization:
After a user logs in, JWTs are included in subsequent requests to allow access to specific routes, services, or resources permitted by the token. JWTs are commonly used in Single Sign-On (SSO) systems due to their lightweight nature and compatibility across different domains.
Information Exchange:
JWTs provide a secure way to exchange information between parties. When signed with public/private key pairs, they ensure the sender's authenticity and verify that the content has not been tampered with, thanks to the signature based on the token's header and payload.
The Structure of JWT
JWT consists of three parts: Header, Payload, and Signature. These parts are encoded separately and then combined with dots (.).
Example:
header.payload.signature
Header
The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
Example:
{
"alg": "HS256",
"typ": "JWT"
}
Payload
The payload contains claims, which are statements about an entity (usually the user) and additional data. Some claims are predefined (registered), while others can be custom-defined.
Examples of claims:
exp (expiration time) - registered
role (e.g., "admin" or "user") - custom
Example Payload"
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
Signature
The signature is used to verify that the message has not been tampered with. If a private key is used, the signature also ensures the sender's authenticity.
Example of Signature Generation:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
Encoded JWT
All three parts (header, payload, signature) are Base64-URL encoded, and the final token looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30
Source:
Examples and additional details are sourced from the
JWT Documentation.
How JWT works
Add JWT to a Header
When sending a request from a client to a server (e.g., submitting a form or accessing APIs), a JWT is included in the HTTP Header in the following format:
Authorization: Bearer <token>
This token is used for authentication on the server side.
Three Parties Involved:
Client
Represents your application or browser.
Sends an authentication request.Authorization Server
Verifies the user's information, such as ID or password.
If the verification is successful, it returns a JWT to the client.Resource Server / API Server
Receives the client's request and checks the JWT in the Header.
If the JWT is valid, it grants access to the requested resources or APIs.
In the next blog post, I'll delve deeper into the topic, focusing on the advantages and disadvantages of JWTs.
Top comments (0)