Day-6: JSON Web Tokens (JWT).

#cybersecurity #security #javascript #blogaday

Day-6: It was a lazy day but also excited at the same time because WWDC Apple Event 2020 happening today. As said on day-4 that will do research on cross-site WebSocket hijacking, I'm not doing this right now because It's kinda more advance to me or will need more time, So I have marked this into my list, will do soon! Today did research on Json web Tokens (JWT)! So let's get started...!

What is JSON Web Tokens (JWT)?

JSON Web Token (JWT) is an open standard (RFC 7519) that means that anyone can use and it is used to Securely transfer information between any two bodies like any two servers or any two users.
The main reason it is used because it is digitally signed that means the information is verified and trusted. There is no alteration of data in between the transfer!
It is compact: It can be sent via URL, post request, Http header and also this makes the transmission process fast!

What problem does it solve?

Authentication
Authorization
Federated identity
Client-side sessions (“stateless” sessions)
Client-side secrets

What is the JSON Web Token structure?

A JSON Web Token looks like this,

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Breaking down, JWT token is divided into 3 parts i.e:

Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header:

Consists of 2 parts: Type of Token and Algorithm!
This JSON is Base64Url encoded!
Eg.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

It contains the claims. Basically claims are user details and additional data like iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
There are 3 types of claims:
- Registered claims
- Public claims
- Private claims
This JSON is Base64Url encoded!
Eg.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature:

It is formed by Combining the encoded header, the encoded payload with the secret.
The signature is used to verify the message wasn't changed along the way!
Eg.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

How does it works?

This Picture explains in a perfect way,

Resources:

Jwt.io doc: https://jwt.io/introduction/
JWT Handbook: https://www.fomasgroup.com/Portals/0/MgmNewsDocuments/jwt-handbook.pdf

Contact:

Got doubts? Contact me on Twitter.
Feedbacks are welcomed, do comment it down below! :)

Simplify data collection in your JS app with a fully integrated form management platform. Includes support for custom question types, skip logic, integrated CCS editor, PDF export, real-time analytics & more. Integrates with any backend system, giving you full control over your data and no user limits.

Learn more