Simple JWT Authentication explanation
Introduction
I’ll start this article with a very simple statement: I’m not the first to write about the subject, I’m not going to give hard quotes, I’m not going to complicate you.
I intend to explain the subject in the simplest and quickest way possible.
If you are interested in exploring the subject further, please visit JWT Official site.
JWT Authentication using C# (implementation)
JWT Authentication using Node JS (implementation)
JSON Web Token (JWT) is a JSON-based open standard for creating access tokens that assert some number of claims, JWT is just a string with the following format:
header.payload.signatureExplanation of the central parts
Header:
The header identifies which algorithm is used to generate the signature, there are basically two main algorithms that we use HS256 and RS256.
{
"alg" : "HS256",
"typ" : "JWT"
}alg - The type of algorithm we will use to sign the token.
typ - Define the type of the token which is JWT.
Payload:
Payload contains our claims that we want to store (personal data that we define) and some standard claims.
Example for custom data:
{
"Name" : "Moshe Binieli",
"Email" : "mmoshikoo@gmail.com"
}As we said there are also some standard claims for example:
iat: Time when the token is issued by us.
exp: The expiration time of the token.
There are some more standard claims, please visit Wikipedia to view them all.
Signature:
Signature step is pretty simple, in this step we take the header and payload and convert it to Base64 format.
The formatted strings are concat with ‘.’ between them and we get something like xxxxx.yyyyy
data = base64urlEncode(header) + "." + base64urlEncode(payload)Then we take the new string we’ve just created and we use hash algorithm and hash it with the chosen secret key.
hashedData = hashAlgorithm(data, secretKey)Finally we convert the signature string to Bas64 as well and we’re done.
signature = base64urlEncode(hashedData)This is visualization of JWT token, the header section is red (left), the payload is purple (middle) and the signature is blue (right).
Each part is converted to Base64 format and that’s how the string (token) is built.
Important note
As you saw, we have a string with three parts separated by a point between them.
Can someone take the critical part that contains our claims and decode it from base 64 and see our data?
Well, yes they can!
You might be asking yourself, isn’t something wrong with this?
It’s important to understand that JWT isn’t here to hide our data, it’s here to prove that the data was created by us.
Do not insert sensitive information into the payload, the payload should contain information that is not sensitive.
Once we decode the token with the private key, we will know if the token was created by us or not, and then we can use the payload data for our purposes, that’s the magic, the simplicity.
How this is actually works in real life?
Let’s take a classic case of login, the client sends a Username and Password, when the information arrives at the server we authenticate the user against the database.
Let’s suppose we want to keep the user ID and role in the claims in our token.
We take the required information and create an object that looks like this:
{
"ID" : 123,
"Role" : "Admin"
}Then we define our header properties ”alg” and “typ” as object.
We convert our header and the payload (ID, Role) to Base64.
We concat those strings into one string separated by dot, header.payload.
Then we hash the data and convert the signature to Base64 as I explained in signature part.
Now we should have one long string that looks like header.payload.signature, we send this string (token) back to the client. Next time we receive token at secure endpoint, we will verify the token in the middleware, if the token has been created by us then we can continue our endpoint logic because the data is fine, otherwise we will return HTTP Status 401 (Unauthorized).
In Conclusion
Don’t implement this by yourself, there are many libraries doing most of the work for you, you can check out my articles about NodeJS and C#.
The idea is quite simple, it is important to mention that I did not touch on all the issues involved in JWT, the explanation should be pretty good so that you can understand what you are doing.
