JWT

Sumit RajJava, Security, Spring Security, ,
Table of contents
Reading Time: 3 minutes

JWT stands for JSON Web Token. It is basically used to transform some information between two parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with HMAC algorithm) or a public/private key pair using RSA.

  • JWT is very compact in size, we can send it through the HTTP header, Post parameter, etc. It’s compact that’s why its transmission is fast.
  • Generally, It payload contains all the information related to the user, to avoid hitting the database again and again.

Why do we need JSON web token?

We need a JSON web token for authorization and information exchanges.

  • Authorization :- When the user logged in into the system, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. Single Sign On is a feature that widely uses JWT nowadays, because of its small overhead and its ability to be easily used across different domains.
  • Information Exchange :- It a good way of securely transmitting information between parties. Because It signed a using public/private key pairs. You can be sure the senders are who they say they are and we can check it signature is calculated using the header and the payload, you can also verify that the content hasn’t been tampered with.

JSON Web Token Structure :-

It consists of three parts separated by dots (.), which are:

  • Header
  • Payload
  • Signature

Header:- Basically Header consist of two parts, first is a type of token that is JWT and the second thing is the signing algorithm e.g RSA, HMAC, etc.

{
  "alg": "HS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

Payload:- The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registeredpublic, and private claims.

  • Registered claims :- In JWT token some predefined claims, which are not mandatory but recomended, to send some useful information in token example sub(subject), iss(issuer), exp(expiration time) etc.

Notice that the claim names are only three characters long as JWT is meant to be compact.

  • Public claims :- These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
  • Private claims :- These are user defined(custom) claims created to share the informations between two parties that agree on using them and are neither registered or public claims.
{
  "sub": "bd297df5-8a76-4713-a34e-a820ff1fe687",
  "email": "test@dummy.com",
  "exp" : "1616239022",
  "iat": 1516239022
}

Signature:- To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify the message wasn’t changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.

Putting all togethers

When we put together the header, payload, and signature it looks like this: –

How do JSON Web Tokens work?

When the user is successfully login, a JSON web token will be returned. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required.

When the user accesses any resources, the user agent sends the JWT typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <JWT token>

This is a stateless authentication mechanism as the user state is never saved in the server memory. The server’s protected routes will check for a valid JWT in the Authorization header, and if there is, the user will be allowed. As JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database.

References

For more information on JWT, Click here.

Written by 

Sumit Raj is a java developer having experience of more than 3.1+ years. He is very interested to solve complex things in programming and also learn new technologies.

Knoldus-logo-final
nashtech-logo-white

COMPANY

Sign up to our newsletter

    Certificates

    IOSTQB Platinum Partner-white
    cmmi5-white
    ISO 27001-white
    ISO 27002-white
    ISO 9001-white
    Previous image
    Next image

    Partners

    knoldus-lightbend-white.png
    knoldus-databricks-white-.png
    knoldus-confluent-white.png
    knoldus-docker-white.png
    knoldus-hashiCorp-white.png
    knoldus-ibm-white.png
    knoldus-daml-white.png
    knoldus-datastax-white.png
    knoldus-kmine-white.png
    knoldus-rust-foundation-white.png
    knoldus-scala-white-1.png
    knoldus-snowflake-white-1.png
    umbraco 1
    aws-partner-logo 1
    Microsoft Gold Partner_white 1
    Previous image
    Next image
    © 2023 Knoldus, Inc. All Rights Reserved.
    Part of NashTech
    Privacy Policy | Sitemap