Get started with JWT

About JWT(JSON Web Token)

Get started with JWT(JSON Web Token)

---

What is JSON Web Token?

JSON Web Token (JWT) is an open standard (RFC7519) token. It’s a compact and self-contained way to securely transmit information as a JSON object between parties.

Key concepts of JWT

JWT looks like a API token or API key, but it contains all the user's information for authentication. This eliminates the need to query the database mode than once. We call this scheme self-contained.

JWT is smaller than other information-containing schemes like XML or SAML. JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Thanks to its small size, transmission is faster than other elements like string-based API keys or SAML. It’s normally a sentence with 100(+-) base64-encoded characters and its length is about 100(+-) bytes. 

How can you use JWT?

* Authentication: The most common use of JWT. After a user logs in, each subsequent request includes a JWT that grants them access to the routes, services, and resources allowed by the token. Single sign-on (SSO) often uses JWT, because of its small overhead and cross-domain availability.   

* Information exchange: JWTs can securely transfer information between parties. Because JWT needs to be signed with a secure algorithm such as public/private key pair, a server can trust the JWT sender and the access levels the JWT claims.   

The elements of JWT

JWTs are constructed from three different elements: header, payload, and signature. These elements are integrated with two periods (.), as shown here: 

JWT elements

The first two elements are base64 URL-encoded JSON objects of a certain structure.

You can see what base64URL looks like using a base64url encoder like SimplyCalc. 

JWT uses a variant of base64 encoding that is safe for URLs. This encoding substitutes the “+” and “/” characters for the “-” and “_” characters, respectively. Padding is removed as well. This variant is known as base64url3. Consider this example: 

The resulting sequence is a printable string like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.  

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.

XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o

Sometimes, the signature is omitted in the case of an unencrypted JWT.

The decoded header–decoded by base64URL decode–will look like the original JSON values:  

{  
   "alg":"HS256",
   "typ":"JWT"
}

The decoded payload is: 

{
   "sub":"1234567890",
   "name":"John Doe",
   "iat":1516239022
}

And the secret required for verifying the signature is secret.

Verifying JWT

You can create JWT using a debugger in https://jwt.io. The encoded and decoded values are testable in this web site too. 

JWT Debugger in JWT.IO

Signature algorithm

A signed JWT has a signature element. This element appears after the last dot (.) in JWT. There are several types of signing algorithms available according. The three major algorithms used in the JWT specifications are:

HS256. HMAC using SHA-256.

RS256. RSASSA PKCS1 v1.5 using SHA-256.

ES256. ECDSA using P-256 and SHA-256.

JWA is the JSON Web Algorithms specification defined in the RFC 7518. RSASSA is a variation of the RSA algorithm adapted for signatures. RSA is a public-key algorithm. Public-key algorithms generate split keys: one public key and one private.

In this algorithm, the private key can be used both to create a signed message and to verify its authenticity. The public key can only be used to verify the authenticity of a message.

---