Understanding JWT
What is JWT?
JWT stands for Json web token which is used for authorization and send the information securely between two parties(Client and Server). For authentication normally cookies and sessions are used. Now JWT is the trending way, which passes a text string token for every request. JWT is digitally signed with an algorithm so that receiving party can trust the shared information. For example when a user login into Medium using the google authentication server with the user’s credential. Once the authentication is success then the server creates a JWT and sends into client. Then medium gets this JWT and allowed to access the data. When the user makes any update to his profile then the data and token is sent to the server. First server checks the existence of the token and then verifies the token. If the token is verified then it will update the user details.
Why JWT is used
- Sending the information between two parties
- To prove that the sent data was actually created by a valid user
- Scalable — can extend the data that is stored in the payload.
- Format is in Json so it is simple and ease of use.
- JWT enable the delegation of the authentication to the third party server.
- JWT is digitally signed and encrypted.
- JWT contains all the details about the user, this avoid the need to access the database hence it increases the response time.
Structure of JWT
JWT consist of three main section like header, payload and signature. It is a text string which looks like
HHHHHHHHHHHH.PPPPPPPPPPPPPP.SSSSSSSSSSSSSS
H-Header P-Payload S-Signature
Header and payload store data in the Json format which is base64 encoded and signature which is created by header, payload and with secret.
Header gives some important information about the token. Normally it will tell the type of the token (JWT) and the algorithm to sign the token. In the above diagram they have used HS256 algorithm to sign the token.
Payload is the section that stores the user information. Here user information are stored as claims. Claims can be categorise into registered, public and private claims. issuer(“iss”), subject(“sub”), audience(“aud”) and expiry time(“exp”) are some examples for registered claims.
The unsigned signature is formed by using the base 64 encoding of the header and payload which is concatenated with a period. Then the signature is created by encoding the unsigned token with the secret key using the hashing algorithm.
JWT Encoding and Decoding
Lets see, how this simple string token is formed. First thing is to encode the header and the payload using base64Url. This gives us with the following format.
base64header = base64encode(header);
base64payload=base64encode(payload);
From the above we can generate the signature as follows
signature= HS256(base64header+ ‘.’ +base64payload , ‘secret’);
Final step is concatenating the three section with a period.
JWT= base64header +‘.’+ base64payload +‘.’+ signature
Let’s say we have a JWT token and to decode it first we have to split it by period then decode it using base64Url to get the header and signature.
base64header, base64payload, signature = JWT.split(‘.’);
header = base64decode(base64header);
payload=base64decode(base64payload);
In order to validate the signature, it is recreated from the decoded header, payload and using the secret. Then it is checked with the original signature. If it doesn’t match then the token is altered.
NOTE :
JWT should not contain any sensitive information since payload claims are base64 encoded so it can be easily decoded and read. If sensitive data has to be passed in JWT then proper encryption mechanism has to be handled.