I am going to explain about JSON Web Token in this article.
Before we start on JWT, we should have a basic understanding of Authentication and Authorization and the differences between them.
In simple words we can say, Authentication is validating the user with credentials or identity and Authorization is verifying assigned role or permission to an authenticated user.
Authentication and Authorization are very important concepts for secure web development.
Let’s now discuss JWT.
What is JWT?
JWT stands for JSON Web Token. It is an Open standard (RFC 7519) which is used to securely transfer information between two parties.
Now the question is what is Open Standard? Open Standard means any one can use it without any restrictions.
In short we can say, JWT is useful for Authorization and Information exchange.
Below are few important points or advantages of JWT,
Advantages of JWT
- It is compact – Can be sent via URL/ Post request/HTTP Header which makes it fast for transmission and usable.
- Self Content – It contains the details of user (not session id in cookies like traditional request), so no need to query database to get user details.
- Digitally signed – Information is verified and trusted.
- Transfer information between two bodies. Bodies means user, sever etc./user, sever etc. is meant by Bodies.
- Can be used in most of the programming languages as it can be mapped directly to the object.
- JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
Now let's see how JWT looks.
JSON Web Token Structure
JSON Web Token is combination of three parts with dots. These three parts are
JWT typically looks like
Eg. XXXXX.YYYYY.ZZZZZ
The below diagram explain the structure of JWT more precisely,
Header
Header is a combination of two parts.
- Algorithm – Signing algorithm being used such as HMAC SHA256 or RSA.
- Type – Type of the token.
This JSON is Base64Url encoded to form first part.
Suppose we have JWT like aaaaaa.bbbbbb.cccccc. In this example aaaaaa is Base64Url encoded header part.
Payload
Payload is the second part of JWT. Claims are user details or additional metadata.
Note
Claim names can have only three characters not the full name.
Payload can have three types of claims.
Registered
Set of predefined claims which are not mandatory but recommended.
Some of the registered claims are
- “iss” (issuer) claim
- “sub”(subject) claim
- “aud” (Audience) claim
- “exp”(Expiration Time) claim
- “nbf” (Not before) claim
- “iat” (Issued At) claim
- “jit” (JWT ID) claim
Public
Can be defined at will by those using JWTs. New Claim Name should either be registered in the IANA "JSON Web Token Claims" registry or be a Public Name.
Private
Custom claim created to share agreed information between parties and not register or have public claim.
Sample Example,
Payload is Base64Url encoded in JWT.
Note
For security reason, do not provide any secure information in header or payload unless it is encrypted.
Signature
Create Signature = Encoded Header + “.” + (Encoded payload , Secret) signed it using algorithm specify in header.
In the above example HMAC SHA256 algorithm is used for signing.
How do JSON Web Tokens work?
Now we will discuss, how JWT and Traditional Session + Cookies work.
Traditional way
First diagram explains the traditional way:
- Client (Browser) posts request with credentials to server.
- Server validates user credentials and creates session id. Session id will be stored on server memory and sent back to user for subsequence requests.
- Session id will be stored in cookies or any other storage.
- Session id will be sent to server in subsequent request.
- Server received session id, validated and provided requested response to user.
JSON WEB TOKEN Work
Now we will discuss JSON WEB Token to get more understanding about differences.
The above diagram explains how JWT works,
- Client (Browser) sends post request with credentials to server.
- Server authenticates user credential and generates JWT + secret. Server is not storing anything in this case which will save server memory and improve performance.
- Sends the JWT on the authorization header.
- Sends response to browser.
I hope you enjoyed this article and that it will help you to start with Json web token as well.