Introduction
JSON Web Token is an open industry standard RFC7516 method for representing claims between two parties that we will look at in this blog. JSON Web Token is an open standard that allows data to be transmitted between parties as a JSON file that is securely signed and trusted. JWT Token Authentication is widely popular in Website Development. JWT Token Authentication can be signed using a secret (with HMAC Algorithm) or with public or private key pairs using RSA or ECDSA.
JSON Web Token can be encrypted and provide secrecy between the parties. We will focus on signed tokens to verify the claims contained with It. JSON Web Token looks like this
JSON Web Token Example from Real-World Project
In my next article code for this project will be available
"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIjoiTXVkYXNzYXIiLCJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9tb2JpbGVwaG9uZSI6IjAzNDc1ODc4MTg5IiwiaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIjoibWtoYW5AdmFwb3J2bS5jb20iLCJqdGkiOiJiZTc4YmY1OC0wZDg3LTRjZWUtYTJmNC0xOGM3ZjVmZmU2NGQiLCJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dzLzIwMDgvMDYvaWRlbnRpdHkvY2xhaW1zL3JvbGUiOiJBZG1pbiIsImV4cCI6MTY0NTQ0MTI2MX0.17WuapLSXYLiMGErZB1dtmBFKz5xuJvxTWQsSS57GLk",
But if want to see what is inside this JSON Web Token we first go to jwt.io
https://jwt.io/#debugger-io
Follow the link above and Decode this Token and we will see what is inside this token
Copy your JSON Web Token and go the jwt.io and open the debugger tab
Copy and paste the JWT Token Code into the Encoded Tab. When we paste the code in the encoding tab, our Decoded JWT Token is on the right side, with the Header, Payload, and Verify Signature, as seen in the image below.
Header
The header is the combination of two parts. The first part of the token is the
- Signing Algorithm HMAC 256, 512
- Type of the Token
Example
In the Header, you can see that our decoded header from our JSON Web Token
Payload
Payload is the second part of the Token that contains user details and registered claims. Payload is basically the base64 URL Encoded in JWT.
Registered Claims
Set of predefined claims which are not essential but recommended such as
- JWT Id
- Valid Audience
- Validate Audience
- Expiration time
- Issue At
- Validate Lifetime
- Valid Issuer
Public Claims
Claims constitute the part of the payload of JSON web token that represents the set of information exchanges between two parties.
Private Claims
Custom Claims that are agreed to share the information between the parties.
In the given below picture, you can see that our Payload Data from our JSON Web Token
Signature
To create the signature, you must include the encoded header and encoded payload and your secret.
Example
What problem JSON Web Token Solves
The main purpose of the JSON Web Token is to transfer claims between two parties. The most important aspect of this standardization effort is in the form of a simple, optionally validated encrypted container format.
When to use the JWT Token
- When you want to Authorize the user
- When you want to exchange information between the two parties.
How the JWT Works
In the given below example when we send the user request from the browser to the server with User Credentials
Example
After sending the request from the browser server, validate the credentials and generate the JWT Token for us.
If all endpoints in the application are secured then for getting data from that endpoints we must have the JWT token and send that token with the request and get the data from that URL.
Conclusion
In this blog, we have studied the JWT and understood how the JSON Web Token works when we use JWT Token and what's inside the JWT Token. In my next article we will study and practically implement the JWT Token functionality in the Asp.net Core Web API Project.