Introduction
A small, URL-safe way to represent claims that need to be transferred between two parties is with JSON Web Tokens (JWT). The claims in a JWT can be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted because they are encoded as a JSON object that can be used as the plaintext of a JSON Web Encryption (JWE) structure or as the payload of a JSON Web Signature (JWS) structure.
JWTs are frequently utilized in situations involving information exchange and authentication, especially in web applications. Because they are digitally signed, they enable safe information transfer between parties and can be validated and relied upon.
The composition of a JWT
Three components make up a JWT, with dots (.) separating them:
- Header
- Payload
- Signature
Header
The type of the token (JWT) and the signing algorithm (RSA or HMAC SHA256) are the two main components of the header.
An example of a header
{
"alg": "HS256",
"typ": "JWT"
}
The following is how it appears when encoded in Base64Url:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload
The claims are in the payload. Claims are assertions regarding an entity (usually the user) and supplementary information. Three categories of claims exist:
- Predefined claims: Predefined claims like iss (issuer), exp (expiration time), sub (subject), and aud (audience) are examples of registered claims; they are not required but are advised.
- Public claims: Statements that anyone using JWTs can define however they see fit. They should be defined as a URI or in the IANA JSON Web Token Registry to prevent collisions.
- Private claims: Tailored claims made for information sharing between parties who consent to their use.
An example of a payload
{
"sub": "1234567890",
"name": "Jaimin Shethiya",
"admin": true,
"userName": "[email protected]",
"iat": 1516239022
}
The following is how it appears when encoded in Base64Url:
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphaW1pbiBTaGV0aGl5YSIsImFkbWluIjp0cnVlLCJ1c2VyTmFtZSI6ImphaW1pbnNoZXRoaXlhQHlhaG9vLmNvbSIsImlhdCI6MTUxNjIzOTAyMn0
Signature
The encoded header, the encoded payload, a secret, and the header's specified algorithm are required to create the signature portion. For instance, the following is how the signature will be generated if the HMAC SHA256 algorithm is used:
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)
An example of a signature
IiRZjTR4MCZkmmpV1oAZf059p0cZDIHmb8EJyGiwPBc
Last JWT
The three components are concatenated with dots (.) to create the final JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphaW1pbiBTaGV0aGl5YSIsImFkbWluIjp0cnVlLCJ1c2VyTmFtZSI6ImphaW1pbnNoZXRoaXlhQHlhaG9vLmNvbSIsImlhdCI6MTUxNjIzOTAyMn0.IiRZjTR4MCZkmmpV1oAZf059p0cZDIHmb8EJyGiwPBc
The Operation of JWT
- User authentication: The server creates a JWT after confirming the user's login information.
- Token Issuance: The client receives the JWT from the server.
- Client Storage: The JWT is kept by the client, typically in cookies or local storage.
- Subsequent Requests: The client uses the Bearer schema to include the JWT in the Authorization header for subsequent requests.
- Authorization: Bearer <token>
- Verification of the Token: The server extracts the claims and confirms the signature of the token. The request is processed by the server if the token is legitimate.
A well-liked technique for safely sending data between parties as a JSON object is JSON Web Tokens (JWT). They are extensively utilized in web applications for information exchange and authentication. The following are some benefits and drawbacks of utilizing JWT:
Benefits of JWT
- Compact: Because JWTs are small, they are simple to send over a network. They can be transmitted inside an HTTP header, via POST parameters, or via a URL.
- Self-contained: The server does not need to store session information because JWTs already contain all the user data that is required. Better performance and scalability may result from this.
- Stateless: JWTs enable stateless authentication because they are self-contained. This can simplify server architecture and increase scalability because the server does not have to maintain a session state.
- Cross-domain support: JWTs are appropriate for single sign-on (SSO) scenarios because they can be used across domains.
- Security: To make sure the data hasn't been altered, JWTs can be signed using RSA or HMAC. For secrecy, they can also be encrypted.
- Interoperability: Because JWTs are built on open standards (RFC 7519), they can be utilized on a variety of platforms and programming languages.
- Expiration: By incorporating expiration times, JWTs can improve session lifetime management and lower the possibility of token abuse.
Negative aspects of JWT
- Token size: Despite their compactness, JWTs have the potential to be larger than conventional session IDs, particularly if they include numerous claims. This may result in higher bandwidth consumption.
- Revocation: It is difficult to revoke a JWT before it expires once it has been issued. Since a token is valid until it expires, this could be a security risk if it is compromised.
- Complexity: Using JWTs can make your application more complicated, particularly if you have to deal with token expiration, verification, and signing.
- Security risks: JWTs are susceptible to a number of attacks, including replay attacks, token theft, and algorithm manipulation, if they are not properly implemented. To reduce these risks, appropriate security measures must be implemented.
- Lack of built-in storage: Because JWTs are stateless, any extra user data (such as roles or permissions) needs to be handled independently, which can make the application architecture more difficult.
- Overhead of signing and verification: If asymmetric signing algorithms are employed, the signing and verification of JWTs may result in some computational overhead.
Conclusion
Although JWTs provide a scalable and adaptable solution for information sharing and authentication, they also present a unique set of difficulties. It's critical to apply best practices to guarantee security and balance the benefits and drawbacks according to the particular needs of your application.
We learned the new technique and evolved together.
Happy coding!