JSON Web Token (JWT) Detailed Explanation
- A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
- A JWT is composed of three parts separated by dots ('.'):
- 1. Header
- 2. Payload
- 3. Signature
- Each part is Base64Url encoded.
- 1. Header: The header typically consists of two parts:
- The type of token, which is JWT.
- The signing algorithm being used, such as HMAC SHA256 or RSA.
- Example:
{
"alg": "HS256",
"typ": "JWT"
}
- 2. Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims:
- Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are `iss` (issuer), `exp` (expiration time), `sub` (subject), and `aud` (audience).
- Public claims: These can be defined at will by those using JWTs. But to avoid collisions, they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision-resistant namespace.
- Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered nor public.
- Example:
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}
- 3. Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
- Example:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)
- Putting all together, you get a JWT that looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- Authentication: When the user logs in, the server verifies the credentials. If valid, the server generates a JWT and sends it to the user.
- Client-side storage: The client stores the JWT (usually in local storage or a cookie).
- Authorization: Every time the client makes a request to a protected route or resource, it sends the JWT along with the request. This can be done using an HTTP header like `Authorization: Bearer <token>`.
- Server-side verification: The server verifies the token's signature and checks the claims (e.g., expiration date, issuer) to determine if the request is valid.
- Compact: Due to their size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header, and they are easy to use in mobile devices.
- Self-contained: The payload contains all the information needed about the user, reducing the need to query the database.
- Secure: The signature is calculated using the header, payload, and a secret or private key, ensuring the integrity and authenticity of the token.
- Authentication: Commonly used for user authentication.
- Information Exchange: Securely transmitting information between parties.
- Authorization: Verifying if the user has the correct permissions to access a resource.
- Always use HTTPS to ensure the JWT is sent securely.
- Keep your secret or private key secure.
- Use a strong signing algorithm (e.g., RSA or HMAC with SHA-256).
- Validate the token’s claims, such as expiration time (`exp`), issuer (`iss`), and audience (`aud`).
- JWTs are widely used due to their simplicity and the security they provide, making them an excellent choice for modern web applications.
No comments:
Post a Comment