JWT Explained

#jwt #webdev #beginners #security

If you are a web developer or a student studying web development you must have heard of the term JWT. These days, JSON Web Tokens (JWTs) play a pivotal role in web development, particularly in the authentication and authorization processes of web applications. In this article we will delve deep into the world of JWTs,their structure, how they work and the advantages they offer over traditional session tokens.

A JWT stands for JSON Web Token. JWTs are used for securely transferring information between parties as a JSON object. For those familiar with JavaScript, JSON is a standard text-based format for representing structured data based on JavaScript object syntax. It is commonly used for transmitting data in web applications.

{
  "id" : "emp_007",
  "name" : "Gregor Samsa",
  "roles" : ["admin", "compliance"]
}

Structure of JWT
In its compact form, JSON Web Tokens consist of three strings separated by dots. It looks something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT consists of three parts:

Header: The header consists of two parts: the type of token which is JWT and the hashing algorithm which will be used in forming the signature.

{
 "alg":"HS256",
 "typ":"JWT"
}

This JSON is base64 encoded to form the first part of the JWT.

2.Payload: The payload consists of the claims which give information about the user. Claims consist of information such as user id, user name and the roles of user.Since a payload can easily be decoded it should not contain any sensitive information.

{
 "sub": "1234567890",
 "name": "Gregor Samsa",
 "admin": true,
 "iat": 1516239022
}

The payload is base64 encoded to form the second part of the JWT.

3.Signature: The signature is formed by taking together the encoded header, the encoded payload, a secret and then signing it with the hashing algorithm which is specified in the header.

HMACSHA256(
  base64UrlEncode(header) + '.' +
  base64UrlEncode(payload),
  secret)

The signature verifies that the sender of the JWT is who it says it is and that the message want changed in the way.

How JWT works?
So once a user logins the application using its credentials a JWT token is returned in the response. Like session tokens, JWT tokens can also be stored in the cookies of the browser.Now every subsequent request the user makes the JWT token will be sent along in the header of the request.Once the server receives the request it verifies the JWT using the signature. It uses the header and the payload received and the secret to generate a signature and if the generated signature matches the signature in the JWT it sends a successful response and gives the user access to the resources. If the generated signature doesn't match the signature in JWT the server sends back an error.

How is JWT different from session tokens?
In the case of session tokens, once the user logins the server creates a session and sends the session id in response.Now the session id is sent in every subsequent request.The server fetches the session corresponding to the session id and authorizes accordingly.
The major difference between JWT and session tokens is that JWT is stateless. Unlike session tokens nothing is stored on the server and the token is self-contained. This reduces the latency and the number of database calls. Also it makes the application more scalable. Since the token is self contained and nothing is stored on the server,the requests can be sent over to different servers by the load balancer without causing any issues.

Conclusion
I hope through this blog now you know a little more about JWTs.