An Introduction and Brief History
JSON Web Tokens, also popularly known as JWTs, are something that many web developers come across daily. JWT is an open, industry-standard (RFC 7519) method for representing claims securely between parties. The compact size of JWT makes it versatile, and it can be sent through a URL, POST parameter, or inside an HTTP header.
JWT was introduced in 2010 to make communication between two parties secure, fast, and easy. Before JWT existed, a common practice for managing user sessions was to store user information on the server side in objects known as 'cookies'. However, with the rising popularity of RESTful APIs and stateless applications where sessions do not necessarily exist, there was a need for a new method. Thus JWT became a popular choice.
The Evolution And Need of JWT
Since its creation, JWTs have quickly become a popular choice for session management and secure data transfer for several reasons:
- Information Exchange: JWTs are a safe way of transferring information between parties. The information can be verified because it is digitally signed.
- Authorization: Once a user logs into an application, a JWT can be created for the user, providing client authorization. Every request from the client can include the JWT, allowing the user to access routes, services, and resources permitted with that token.
- Ease of Use: Owing to its compact size, a JWT is easy to transfer through an URL, POST parameter, or inside an HTTP header.
- Versatility: JWTs work across different programming languages, as JSON is used widely across many different programming languages.
JWT Structure
A JSON Web Token consists of three parts separated by dots (.), including a header, payload, and signature. An example of a JWT could look like this: aaaa.bbbb.cccc.
- Header: This part contains metadata including the type of token and the signing algorithm being used, like HMAC SHA256 or RSA.
- Payload: Here lies the actual information also known as 'claims'. Claims are statements about an entity (typically, the user) and additional metadata.
- Signature: The signature is used to verify that the sender is who they say they are and to ensure that the message wasn't changed in any way during transit.
Implementing JWT in a C# Application
Install the Microsoft's official JWT library System.IdentityModel.Tokens.Jwt through NuGet into your .NET Core project.
string key = "my_secret_key"; // This should be more complex and stored safely
var securityKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key));
var credentials = new SigningCredentials(securityKey, SecurityAlgorithms.HmacSha256);
var permClaims = new List<Claim>();
permClaims.Add(new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()));
permClaims.Add(new Claim("valid", "1"));
permClaims.Add(new Claim("userid", "1"));
permClaims.Add(new Claim("name", "test_user"));
var token = new JwtSecurityToken(issuer: "yourdomain.com",
audience: "yourdomain.com",
claims: permClaims,
expires: DateTime.Now.AddDays(1),
signingCredentials: credentials);
var jwtToken = new JwtSecurityTokenHandler().WriteToken(token);
The value of jwtToken is your created JWT.
Validating a JWT
To validate a JWT generated, the application again uses the secret key to decode the JWT and validate it.
var tokenHandler = new JwtSecurityTokenHandler();
var jwtSecurityToken = tokenHandler.ReadJwtToken(jwtToken);
var validationParameters = new TokenValidationParameters()
{
IssuerSigningKey = securityKey,
ValidateIssuer = false,
ValidateAudience = false,
};
SecurityToken validatedToken;
IPrincipal principal = tokenHandler.ValidateToken(jwtToken, validationParameters, out validatedToken);
After this, your JWT is validated and the claims can be read from the jwtSecurityToken variable.
Conclusion
With the rise of stateless APIs and advantages in terms of security, size, and versatility, JWTs have become a favorite method among developers for authorization and secure data transfer. As always, care must be taken to keep the secret keys securely and manage the tokens properly.