I am using JWT in my project for more than 1year but i never realized what actually it is and what it contains. In this post, let ‘see what is this and what it contains.
Before we start using JWT, we were using base username and password. A encrypted username and password will be sent over the htttps header and the authentication will happen at server side. Once the authentication is successfull a session will be created and that session id will be sent back the request. All further requests will be happen through this session id.
What if someone hacks and resend the username/password or session id ? Here is the security vulnerability and JWT comes into the picture for better security.
Below is the sample JWT. It might looks lengthy but it is base64 url encoded format,
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.cThIIoDvwdueQB468K5xDc5633seEFoqwxjF_xSJyQQ
This message has 3 parts separated by ‘.’ If we decode it, we can see the JSON maps and signature like below, (header, payload and signature of header and payload)
{
“alg”: “HS256”,
“typ”: “JWT”
}
{
“sub”: “1234567890”,
“name”: “John Doe”,
“iat”: 1516239022
}
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
) secret base64 encoded
- JWA is essentially a registry of standard names and algorithms.
- The payload is optional. It is solely depends on our requirement.
- Signature uses the algorithm mentioned in the header. It is the signature of the header and payload.
JWT is other way treated as a signed cookie.
The optional fields are,
| Field | Description |
| iat | Timestamp of when he token was issued at |
| jit | Json token id |
| iss | Issuer of the token |
| exp | Expiry time |
| sub | Subject |
| aud | Audience |
JWT is a collection of JSON web signature, JSON web algorithms and JSON web encryption. So, it is actually a token format. So, we need other standards like Open Id Connect , Oauth2. This will help us how to define token for delegated access.
