Getting Started
This is a series of posts divided into 4 parts. The same posts are being posted on different IT blogs like Hackernoon, Devto and Medium.
Big Picture
So you could be skipping the whole series of posts and seeing the final repository and how it works.
IMPORTANT: This is not a code for production, it is for understanding concepts. I really don't recommend using it in production.
Seen the warning above, the code does not include any configuration and all keys and passwords are stored in the repository.
In the repository you can find examples and commented code. Not everything in the garden is rosy, but we have a good start. Feel free to create pull-request or ask more.
So enough litany and let's get down to business!
PART 1 - What the heck is a JWT?
Many people may have already seen or used JWT without even knowing what a it really is, here whe have a good start JWT.io.
In The Idiomatic Way
JSON Web Token or popularly known as JWT is a set of base64url encoded string separated by .
's. Something similar to aaaaaaaaaaaaaaaaaaa.bbbbbbbbbbbbbbbbbbb.ccccccccccccccccccc
, - but what is this parts ? -, the first two parts are a set of public information in JSON Object and the third is a signature, usually signed with some private key or password ( depending on the security level implemented ). The general use of JWT is authentication and authorization.
In The Technical Way
JWT refers to RFC7519 and it's a community accepted and discussed standard and after published by the Internet Engineering Steering Group ( IESG ) as an Internet Standards.
Usually used by OAuth Servers or IdentityProviders carrying client information ( one user or application ).
JWT consists of JSON objects that are Header, Payload and one Signature. Usually Header and Payload contain public information, while Signature contains some private information.
Let's see what they really look like ?
An encoded JWT ( with line breaks for display purposes only ):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded Header:
{
"alg": "HS256",
"typ": "JWT"
}
Here we have a JOSE Header that declares that the encoded object is a JWT and the signature is based on HMAC encryption. We can confirm this by looking at the typ
and alg
, where alg
refers to the algorithm used for signature and typ
refers to the token type.
Decoded Payload:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
The payload is usually a set of claims that contain information about the client, the generation of this token, and more.
The JWT specification defines seven reserved claims that are not required, but are recommended to allow interoperability with third-party applications. They are:
- iss (issuer): Issuer of the JWT
- sub (subject): Subject of the JWT (the user)
- aud (audience): Recipient for which the JWT is intended
- exp (expiration time): Time after which the JWT expires
- nbf (not before time): Time before which the JWT must not be accepted for processing
iat (issued at time): Time at which the JWT was issued; can be used to determine age of the JWT
-
jti (JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)
You can see more standards internet claims here.
Signature:
In this case Signature it's composed by:
HMACSHA256( base64UrlEncode( header ) + "." + base64UrlEncode( payload ), your-256-bit-secret
)
Where your-256-bit-secret
is a password to validate and generate this token. Depending on the algorithm used, we could use private certificates for token generation and public certificates for validation of the token like in RSA Algorithms or EDCSA Algorithms.
For example in RSA:
RSASHA512( base64UrlEncode(header) + "." + base64UrlEncode(payload), < Public Key or Certificate > , < Private Key or Certificate > )
PART 2 - Generating a token
WIP - Work In Progress
References:
A go implementation of JSON Web Tokens:
https://github.com/dgrijalva/jwt-go
Internet Standard Claims:
https://auth0.com/docs/tokens/jwt-claims
https://www.iana.org/assignments/jwt/jwt.xhtml#claims
Javascript Object Signing and Encryption (JOSE):
https://jose.readthedocs.io/en/latest/
https://datatracker.ietf.org/wg/jose/documents/
RFC2104 - HMAC: Keyed-Hashing for Message Authentication:
https://tools.ietf.org/html/rfc2104
RFC6979 - Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):
http://tools.ietf.org/html/rfc6979
RFC7519 - JSON Web Token (JWT):
https://tools.ietf.org/html/rfc7519
RFC8017 - PKCS #1: RSA Cryptography Specifications Version 2.2:
Top comments (0)