Use JWT (JWS) for authentication

Randil Fernando
Mar 17, 2018 · 4 min read

JSON Web Tokens (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA.

Parts of a JWT

Header

{ 
“alg”: “HS256”,
“typ”: “JWT”
}

Payload

{ 
“sub”: “1234567890”,
“name”: “John Doe”,
“admin”: true
}

Signature

HMACSHA256(   
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret
)

Putting all together

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ0eXBlIjoiYmVhcmVyIiwiaWF0IjoxNTIxMDEzNzA3LCJleHAiOjE1MjEwMTczMDcsImlzcyI6Imtpa3N0YXJ0In0.scd2qEhrNaJStCFVnSXmx5s4TZ0HNQfqTbJtOQvbte0

Other token types

Token based authentication workflow

Token generation (Authentication server)

Token Read (Client)

Token Validation (Application server)

Symmetric (Shared key)

Asymmetric (Private/public key)

Randil Fernando

Written by

Undergraduate, Department of Computer Science and Engineering, University of Moratuwa.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade