Same old web..new drama..
What are JSON Web Tokens? [JWT]?
JWT are tokens that you can use in your web application to transfer data over a network and therefore authenticate communication between 2 parties. A better definition is:
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. – Source
It is a hash like encrypted string that carries data and need not be stored in the database as it has an expiry date. The basic premise is that after server authentication a JSON object is sent to the user. And when the user communicates with the server the JSON object is sent back to the server. The signing of the data contained within the token with an encryption algorithm makes it more trust worthy to the other party, therefore has a high data integrity.
These tokens are compact and can be sent as part of a POST request or as a query string in a URL. To identify/authenticate people in your (web/mobile) app, put a standards-based token in the header or url of the page (or API endpoint) which proves the user has logged in and is allowed to access the desired content. – here
The goal of a token is to allow the end user to trust that the receiving data has not been altered in any way. Since anyone can read a JWT private information should NOT be sent as part of a token.
Anatomy of a JWT
A JWT consists of 3 parts:
All 3 makeup a JWT and look something like this:
Ps: note that each part is separated by a “.”
The header is base-64 encoded and contains meta-data/a few key pieces of info about the JWT . Most commonly:
- Signature mechanism i.e. what encryption algorithm it contains (e.g. HMAC-256 or RSA SHA-256)
- The type of token (JWT)
So the header looks like this:
“typ” : JWT,
Then this JSON object is converted into a string using the
const encodedHeader = Buffer.from(JSON.stringify(header)).toString('base64');
The payload is a JSON object which contains information that is to be sent to the end user. Like the header, the payload is also base-64 encoded. The payload is also known as “claims”. There are 3 types of claims:
- Public claims: No 2 public claims must have the same name
- Private claims: Has to be different to the public and registered claim
- Registered claims: Universally defined claims for specific purposes (for example token expiry time signified by “exp” and issuer signified by “iss”)
So a payload with 2 private claims (iss and exp) and 2 public claims (name, admin) essentially looks like this:
"iss": "kauress.me", "exp": 12302019, "name": "Kauress", "admin": true
Then this JSON object is also converted into a string using the
The 3rd part of a JWT is the secret. The secret part is simply a hash of all the content/part of a JWT which means the “header” and the “payload” to ensure that the data cannot be tampered with. You need a ‘secret’ that is available only to the server and not disclosed to the user. A JSON Web Algorithm (JWA) is used to sign the JWT.
The secret looks like this:
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret
4. And then what..
The 3 parts of the token are combined into a string, with each part seperated by a ‘.’ and returned to the user.
- Stateless authentication
- Password resets
- Identify what resources a user can access
- Signature for content validation