What is JWT and what does it do?

Web applications are currently being used to run a lot of scenarios in the digital world. User authentication or the system verifying user information to determine if they are who they claim to be, is of vital importance. This is because web applications are a priority target for attackers considering their wide usage. JSON Web Tokens (JWT) is a secure, popular, and scalable method for authentication, authorization, and information exchange. Let’s get into understanding the theory behind JSON web tokens and their pros and cons.

JWT, or JSON Web Token, is an open standard used to share security information between two parties — a client and a server. Each JWT contains encoded JSON objects, including a set of claims which are mostly user data or other data. JWTs are signed using a cryptographic algorithm to ensure that the claims cannot be altered after the token is issued.

Structure of a JSON Web Token

JWT Structure

A JWT consists of three Base64-URL-encoded strings separated by dots.

Header: Contains the signing algorithm and the type of the token.

Payload: Contains the token expiration date, token issuer, and more. Claims are included here which represents information regarding a certain entity like the user.

Signature: This is the component used to verify that the message hasn’t been corrupted in transit. For signature creation, the encoded header, encoded payload, and a secret key which you can define will be taken. If the algorithm is HMAC-based, the encoded header and payload will be concatenated with a period (.) in between then it will be hashed using the algorithm and the secret key. For an RSA-based algorithm, the concatenated header and payload will be signed with a private key.

HMACSHA256(
base64UrlEncode(header) + “.” + base64UrlEncode(payload),
secret
)

The highlighted section above is a textual representation of creating a signature for a JWT using the HMAC-SHA256 algorithm.

How JWT Works in a Web application

As the image above indicates initially when the user registers or logs in there will be a

1. Verification of the entered information and creation of the user instance in the database in case of a signup
2. Validation of user credentials in case of a login

after this process, a JWT will be generated and returned to the client.

Subsequent requests from the client will be followed with an Authorization header in the request. The server will extract the JWT from the request header and validate it. The response will be sent only if the validation is successful. You can protect parts of your application with this method.

Pros and Cons of JWT

Pros

1. Statelessness- JWTs carry all necessary information within the token itself making it self-contained. The need to store session data such as user credentials in the server is eliminated. It’s costly to maintain session state for scalable microservices architectures thereby the JWT is a good choice here as well.
2. Security- Since JWTs are digitally signed the information can be verified and trusted. The signature can be made using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
3. Performance- There’s no need to access the database repeatedly to authenticate users for their requests. Web applications, especially ones at scale can improve their performance due to this advantage.
4. Easy to transmit- JWTs are intended to be sent as part of the request body, in query strings, or as HTTP headers. They are therefore simple to use in modern web apps and APIs.

Cons

1. Token Revocation- Revoking JWTs is not straightforward since they are designed to be stateless. Therefore, actions like banning a user immediately cannot be implemented easily
2. Security Vulnerabilities- Security vulnerabilities such as using weak keys for signing tokens or not validating tokens properly can threaten the system.
3. Token Size: JWTs can become quite large if too much data is encoded. This can lead to increased bandwidth usage and decreased performance.

Best Practices for using JWTs

1. Use HTTPS- Using HTTPS to transmit JWTs is a crucial step to prevent tokens from being intercepted by attackers during transmission. This is crucial for protecting the sensitive information contained within the token.
2. Keep payload data minimal- Since JWTs are mostly transmitted over HTTP headers, excessively large JWTs can lead to server errors or truncated headers. Only include essential information in the token’s payload.
3. Use Strong Signing Keys- For symmetric algorithms (like HS256), use a strong, secret key that is long and complex to fight off brute-force attacks. For asymmetric algorithms (like RS256), manage the private key securely and only distribute the public key to services that need to verify the token.

I hope this article has provided you with a solid foundation on what JSON Web Tokens (JWTs) are, how they function, and their significance in modern web applications for authentication, authorization, and information exchange. As we’ve seen, JWTs offer a compact and self-contained way to securely transmit information between parties, making them an invaluable tool in the realm of web security.