Securing app with JSON Web Tokens
This article will explain what Json Web Tokens (JWTs), why one should use them and how one can use them to ensure security in the application. JSON Web Token (JWT) is an open standard (RFC 7519) for safely passing claims in space constrained environments. JWT defines a simple and compact way to securely transmitting information between two parties (for ex. client and server) in the form of json object. I am not going to tell you the coding but surely I will explain the coding also in the next part.
What are Json Web Tokens?
A Json Web Token looks like this — eyJhbGciOiIiLCJ0eXAiOiJKV1QifQ.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.u8eAOPhMYxbVA344-mqOythdoPqJ4C2gYl1qu0bqehk
Although, it looks complex but it is actually very compact and self contained representation of claims with a signature to verify it’s authenticity. JWT is just a string with the following format — header.payload.signature Each of the three parts are separated by dots. Let’s explain each of them.
Header
The header is a json object consist of two parts - typ: type of the token which is “JWT” itself and alg: hashing algorithm used to sign jwt.
{
"alg": "HS256",
"typ": "JWT"
}Then this json object is Base64Url encoded to get first part of the token.
Payload
Payload is the element which contains all the user related data. In addition to that, there are some reserved claims which may also be present in payload.
{
"iss": "own-auth",
"name": "John Doe",
"admin": true
}Here we are adding only name and admin property of a user. you can add as many as you want. “iss” is a reserved claim that uniquely identifies the party that issued the JWT. You can read more about it here. Then the payload is also Base64Url encoded to form the second part of the token.
Signature
Signature is computed by using a hashing algorithm on the basis of encoded header, encoded payload and secret key. Secret Key must be stored in a safe place on autorization server and it should never be disclosed. For example, if we use HMAC SHA256 algorithm, the signature would be
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secretKey)The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.
After putting all the above three components together what we get is a three part base64 string seperated by dots that can be passed in any html or http request. If you find all above is a bit complicated, you don’t need to worry because there are lots of library which do all the encoding and hashing, you just need to pass the data (claims). For libraries — https://jwt.io/#libraries
Why should you use Json Web Tokens?
Let’s talk about why jwt is better than cookies or simple web tokens. The major benefits are following -
- As JWTs are self contained token, so server doesn’t need to ask database to know about the user because user info is already embedded inside the token. It reduces the need to query database multiple times.
- You don’t need to store different cookies for different value data such as user_id, user_last_login or last_visited_page. All this can be stored within a single jwt.
- Token can expire like cookies but you have more control over it.
- Tokens works in the same way on both mobile platform or web platform.
How should you use Json Web Tokens?
When the user successfully logs in, irrespective of the authentication mechanism such as email, oauth or phone with otp, a JSON web token is generated at server side with all the necessary claims and returned to the client which must be saved locally at the client side for authorising future requests.
When the user wants to make a request to the protected api, user agent must send the JWT in the Authorization header as follows.
Authorization: Bearer <token>

This authentication mechanism is stateless because as server never stores the user state. The server only checks the Authorization header and get the token. Then, server will validate the token against the secret key. If the token is valid, server grants the permission to the client.
Note : As you have seen we have just encoded and signed the data and not encrypted it. Encoding is used to transform the data’s structure. JWT are not meant to encrypt or obscure the data so JWT don’t gurantee any security for sensitive data. The purpose of JWT is to check whether data has been tampered in middle or not. It is better to encrypt the jwt before sending on wires if you are having some confidential information in it such as access_roles or payment_information. I will explain this in the next article.
External References —
- https://en.wikipedia.org/wiki/JSON_Web_Token
- https://self-issued.info/docs/draft-ietf-oauth-json-web-token.html
- https://tools.ietf.org/html/rfc7519
- https://scotch.io/tutorials/the-anatomy-of-a-json-web-token
- https://github.com/jwtk/jjwt — JWT library for Java
I hope you have enjoyed this article. Click ❤️ below to recommend this article if you found helpful, It would let others to get this article in their feed. For more such articles, follow me, you will be notified.
Thanks for reading!! 😀 😃
