All you need to know about JSON Web Tokens(JWT) — Part 1/2
This is the first part of JWT blog where I’ll talk about what JSON Web Tokens are, how they work and when to use them. In the second part, I talk about the structure of JWT, how it is generated and how a server can issue a JWT token in Javascript.
What is JWT?
JSON Web Token (JWT) is a JSON based method of transferring data between two parties in a compact, self-contained and secure manner. It is an open standard (RFC 7519) used especially in the context of web browser single sign-on (SSO). Each token asserts a claim that is provided to the client. These claims can be used to pass identity information for authentication. For example, the server could generate a token that has the claim “valid login ID” and a client could then use it to authenticate itself. The information contained within the JSON object can be verified and trusted because it is digitally signed.
How does JWT work?
The tokens are digitally signed by the server’s private key. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair (with RSA or ECDSA). Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it.
A user logs in by placing a request to the authentication server with their credentials from the client side. The server authenticates their request and also creates a JWT token that is signed and contains all necessary information for the user to access resources. With JWT, the user can then safely communicate with the application. Now, when the user makes API calls to the application, the user passes the JWT along with the API call. In this setup, the application server is configured to verify that the incoming JWT is created by the authentication server. Since the application knows the secret key, it can perform the same signature algorithm. If the signatures match, the JWT is valid thus, authenticating the client. Thus, trust is established between the client and the server.
When to use JWT?
- To locally save user session at client side instead of the traditional approach of creating a session in the server and returning a cookie. This allows a stateless authentication mechanism as the user state is never saved in server memory.
- To reduce repeated database queries because JWTs are self-contained, that is, they have all the necessary information to allow an authenticated user to access all server resources and routes.
- To pass data in HTML and HTTP environments because of its small size. JSON is less verbose than XML so its encoded size is also smaller. It can be sent through a URL, POST parameter, or inside an HTTP header.
- To authenticate a user via single sign-on. This is the most common use case of JWT and can be easily used among systems of different domains.
- To exchange information as JWT is a good way to securely transmit information between parties because it can be signed by the sender. It also allows checking if the content has been tampered with.
- Additionally, JSON parsers are common in most programming languages, because they map directly to objects as compared to XML that doesn’t have a natural document-to-object mapping.
With proper design, developers can address algorithm vulnerabilities by taking following precautions:
- Never let the JWT header alone drive verification
- Know the algorithms
- Use an appropriate key size
What JWT is not used for?
The data inside a JWT is encoded and signed, not encrypted. The purpose of encoding data is to transform the data structure. Signing data allows the data receiver to verify the source’s authenticity. So encoding and signing data does NOT secure the data. On the other hand, the main purpose of encryption is to secure data and prevent unauthorized access.
In part 2 of this blog, I’ll talk about the token structure of JWT, how it is generated and how a server can issue JWT token in Javascript.
Thank you for reading! If you found this helpful, here are some next steps you can take:
