What is JWT (JSON Web Token)

JSON Web Token (JWT) Detailed Explanation

• A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Structure of a JWT

• A JWT is composed of three parts separated by dots ('.'):

• 1. Header
• 2. Payload
• 3. Signature

• Each part is Base64Url encoded.

• 1. Header: The header typically consists of two parts:

• The type of token, which is JWT.
• The signing algorithm being used, such as HMAC SHA256 or RSA.

• Example:

    {

        "alg": "HS256",

        "typ": "JWT"

    }

• 2. Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims:

• Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are `iss` (issuer), `exp` (expiration time), `sub` (subject), and `aud` (audience).

• Public claims: These can be defined at will by those using JWTs. But to avoid collisions, they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision-resistant namespace.

• Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered nor public.

• Example:

    {

        "sub": "1234567890",

        "name": "John Doe",

        "admin": true

    }

• 3. Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

• Example:

    HMACSHA256(

        base64UrlEncode(header) + "." +

        base64UrlEncode(payload),

        secret

    )

• Putting all together, you get a JWT that looks like this:

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.

    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.

    SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

How JWT Works

• Authentication: When the user logs in, the server verifies the credentials. If valid, the server generates a JWT and sends it to the user.

• Client-side storage: The client stores the JWT (usually in local storage or a cookie).

• Authorization: Every time the client makes a request to a protected route or resource, it sends the JWT along with the request. This can be done using an HTTP header like `Authorization: Bearer <token>`.

• Server-side verification: The server verifies the token's signature and checks the claims (e.g., expiration date, issuer) to determine if the request is valid.

Advantages of JWT

• Compact: Due to their size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header, and they are easy to use in mobile devices.

• Self-contained: The payload contains all the information needed about the user, reducing the need to query the database.

• Secure: The signature is calculated using the header, payload, and a secret or private key, ensuring the integrity and authenticity of the token.

Use Cases

• Authentication: Commonly used for user authentication.
• Information Exchange: Securely transmitting information between parties.
• Authorization: Verifying if the user has the correct permissions to access a resource.

Security Considerations

• Always use HTTPS to ensure the JWT is sent securely.
• Keep your secret or private key secure.
• Use a strong signing algorithm (e.g., RSA or HMAC with SHA-256).
• Validate the token’s claims, such as expiration time (`exp`), issuer (`iss`), and audience (`aud`).

• JWTs are widely used due to their simplicity and the security they provide, making them an excellent choice for modern web applications.