What is a JWT? | A Beginner’s Guide to JWT Authentication.

Ever wondered how you get signed in to a web app without typing your credentials each time? If you haven’t thought about it yet, you might be curious now. Follow along in this blog post to understand how JWT makes authentication and authorization simpler.

As we move forward, let’s briefly go over Authentication and Authorization concepts, many of you are likely familiar with. Authentication involves confirming a user’s identity through specific credentials, while Authorization dictates the allowable actions within the web app for an authenticated user. In the following sections, we’ll delve into:

1. What is JWT
2. Breakdown of JWT.
3. How to generate a JWT
4. How to verify a JWT

What is JWT

JWT, short for JSON Web Token, serves as a secure and URL-safe method for exchanging information between two parties. Being compact, it can be conveniently transmitted through a URL, as a POST parameter, or within an HTTP header, ensuring quick communication. A JWT includes all necessary information about an entity, preventing the need for multiple database queries. Moreover, the recipient of a JWT can validate the token without having to make a server call.

JSON stands for JavaScript Object Notation, serving as a text format for transmitting data across the web. A token, in this context, is a string of data representing identity. JWT, or JSON Web Token, is a combination of JSON data converted into a string (token). These JWT tokens are signed using cryptographic algorithms to guarantee that they cannot be altered.

Breakdown of JWT

The image above illustrates the structure of a JWT, which comprises three components separated by a period (.): Header, Payload, and Signature. Each component consists of Base64Url-encoded data in JSON format.

Header — The initial component of a JWT, the header is a JSON object that details how the token is processed. It includes two parts: the token type (typ), which is always set to “JWT”, and the signing algorithm used to create the signature (alg).

Structure of the Header

{
  "alg": "HS256",
  "typ": "JWT"
}

These standard headers are essential for a JWT, and it’s mandatory to include them. However, if needed, you can still incorporate custom headers based on your specific requirements.

Payload — The second element of a JWT, the payload, is a JSON object that holds claims about an entity, such as the user’s identity, and any other relevant information that may be required.

structure of payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

In JWT, there are three types of claims:

1. Registered Claims: These are standard and predefined claims specified by JWT. Examples include subject (sub), issued at (iat), expires at (exp), issuer (iss), and more.
2. Public Claims: These claims are not part of the standard JWT specification. They can be created by the involved parties to include any necessary information.
3. Private Claims: Neither standard nor public, these claims must be agreed upon by both parties involved in the communication to be used.

Signature — The third and final component of a JWT is the signature. It is generated by taking the Base64URL-encoded header and payload, combining them with a secret, and then applying a specific cryptographic signing algorithm.

The signature of a JWT provides integrity, ensuring that the token has not been tampered with. Altering the signature without the secret is practically impossible. It’s crucial to store the secret securely on the server side since it’s required both for generating and verifying the token.

Feeling a bit overwhelmed with theory? Alright, let’s dive into the practical side and see how a token is generated and verified with an example.

How to Generate a JWT ?

Imagine signing into a web app after a while. Upon successful identity verification, the server generates a JWT token. The initial step is to create the header. For simplicity, let’s use the same JSON structure as shown above. The Base64Url encoded result is:

Now, let’s focus on the payload. The claims in the payload are as follows:

To generate the signature, let’s combine both the header and payload, and then sign it with a secret using the HS256 algorithm.

Combine all three parts — header, payload, and signature — to form a JWT token.

This token is now sent back to the browser to be stored in the cache. When you revisit the same web app, this token is parsed in the headers to verify your identity.

How to Verify a JWT ?

Upon receiving the token, The system takes the first two parts header, and payload. Signs them using the same secret and algorithm used during generation, It then compares the resultant hash with third part of the JWT the signature. If it matches you are verified. no authentication is required.

Conclusion

JSON Web Tokens are a robust tool for securely transmitting data. JWT provides stateless authentication, eliminating the need for the server to store session information. However, it’s crucial to take precautionary measures such as setting a reasonable expiration time, transmitting over HTTPS, and refraining from storing sensitive information in the payload. It’s important to note that if the secret is compromised, the entire system is at risk. By following best security practices, JWT can be a reliable and robust tool for authentication.

I want to express my gratitude for your time and attention. I’m open to any suggestions or improvements you may have. Thank you for reading!