JWT, or JSON Web Token, is an open standard used to tranfsfer claims, share security information (authetication / authorization) between two parties.
The JWT encodes the claims in JavaScript object notation. For example , a server could generate a token that has the claim "logged in as administrator" and provide that to client. The tokens are typically signed and optionally encrypted. Signed tokens are commonly referred to as JSON web signatures (JWS) and encrypted tokens as JSON web encryption (JWE). Tokens can be sgined using using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. Singing ensures. JWS ensure
- Integrity of data - ie data is not tampered
- Authenticity of data - (you can be sure that the senders are who they say they are.)Since only the sender has the private key of secret, hence the receiver can verify(using public key of sender/ shared secret) that the message has come from authentic sender .Note that verification of signature is critical to be sure of authenticity and integrity of data . without verification jwt should not be used.
Note that without secure channel , the jwt token can be intercepted via man in middle attack and hence when securing api's using jwt ensure secure channel with TLS. Note that typically even though TLS is used even then senstive user information can still not be kept in jwt as it would be exposed on the server side.
A JWT is a string made up of three parts (header, payload, signature) separated by dots (.), and serialized using base64.
JWT Example
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJMTSIsImlhdCI6MTYxOTQ3MDY4MiwiZXhwIjoxNjE5NDcxODg2LCJhdWQiOiJsb2dpY21vbml0b3IuY29tIiwic3ViIjoiTmVkIn0.mqWsk4fUZ5WAPYoY9bJHI7gD8Zwdtg9DUoCll-jXCMg
HEADER
A header in a JWT is mostly used to describe the cryptographic operations applied to the JWT like signing/decryption technique used on it. It can also contain the data about the media/content type of the information we are sending
Decoded Header
{
"typ": "JWT",
"alg": "HS256"
}
the ‘typ’ gives us the type of the header this information packet is, whereas the ‘alg’ tells us about the encryption algorithm used.Some JWT’s can also be created without a signature or encryption. Such a token is referred to as unsecured and its header should have the value of the alg object key assigned to as ‘none’. Note that If the JWT processing function blindly adheres to the algorithm type declared in the header and the “alg” header is set to “none”, the JWT would be processed as valid without any of the protection that a signature provides.
{
"alg":"none"
}
PAYLOAD
Decoded Payload
{
"iss": "CMF",
"iat": 16198760682,
"exp": 1612345677,
"aud": "clarifyforme.com",
"sub": "cfm"
}
The payload is the part of the JWT where all the user data is actually added. This data is also referred to as the ‘claims’ of the JWT.
There are three types of claims
- Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience),
- Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.
- Private claims: These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.
Signature
mqWsk4fUZ5WAPYoY9bJHI7gD8Zwdtg9DUoCll-jXCMg
Best JWT practices
- Always use TLS . Note that even for JWE (encrypted tokens) TLS is critical as if the token is intercepted via man in the middle attack , although the contents may be hidden but none the less the token could be used.
- JWS are not encrypted hence should not have sensitive user info like passwords.
- Tokens should have expiration time
- When using HMAC avoid using a weak secret for signing.
- Https only cookies are safest for storing tokens. They are less prone to xss attack and CSRF attacks can also be stopped via cookie attribute SameSite.
- Issue the JWT with narowest possible scope of access.
When use JWT
- Token based authentication : JWT can be used for token based statless authentication mechanism where server does not need to rely on server session store. Statelessness is one of the key tenets of REST.A RESTful web service cannot keep a client state on the server and still strictly adhere to a stateless model.In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:
- Authorization: Bearer , Read more here.
- Securing APIs : JWT are commonly used for securing APIs.
- JWT are also extensively used in oauth 2.0 protocol and OIDC (single sign on)
Advantages of JWT
- Json is typically more compact as json as less verbose compared to xml
- JSON parsers are common in most programming languages because they map directly to objects. Conversely, XML doesn't have a natural document-to-object mapping.