All about JSON Web Token

We will be discussing the following

·       What is JSON Web Token?

·       What is the use of JWT?

·       What are different types of JWT?

JSON web Token is also known as JWT is a URL-safe way to transfer information between parties.JWT basically is a concatenation of three strings separated by dots. Each string is a different part of the token.

 Structure of a JWT

The three parts of JWT are

·       Header

·       Payload

·       Signature

Token has three parts in which signature part is optional, if a token does not have the signature part it will be unsecured JWT and us rarely use unsecured JWT.

Two other parts header and payload are originally written in JSON that’s why we call it JSON Web Token.

We encode JSON using Base64url algorithm to achieve the final version.

Base64 is an encoding algorithm that allows encoding any characters into digits, plus, and slash.

Base64url is a modified version of base64, it's mainly to make JWT to be URL safe.

 

Header – header contains information about the token

In header we can use the following parameter

·       Typ: In this case it is JWT, the field is optional

·       Alg : algorithm used in the signature field. This field is mandatory.

·       Cty : content-type must be present if a payload contains a nested token.

 

Header

{

“alg”:HS567”

“typ”:”JWT”

After encoding with Base64url we will get

Eyiulhjhkjdgfkjdhfjkljffhkdtjkfhklj

 

Payload

It is a group of JWT in which we provide the information of a party such as a name/values. The name is called claimName and the value is called claimValue.

There are three types of JWT claims

·       Registered

·       Public

·       Private

Registered Claims-are claims whose claim names are registered in IANA JSON web token claims registry and defined in the specification.

Registered Claims names are-

·       iss (Issue Claim)-issuer of JWT

·       sub ( Subject Claim)-Subject of JWT

·       aud ( Audience Claim)-Audience of JWT

·       exp ( Expiration time claim)-Expiration time of JWT

·       nbf ( Not before Claim)-Before the time defined in this claim

·       iat ( Issued at Claim) – Time at which the JWT was issued

·       jti ( JWT id claim)-String representing a unique identifier of JWT

 

Public Claim-are claims that are either registered in IANA JSON web token

Private Claims- are claims defined by consumers and producers of the JWT’s that re not registered.

Signature-The most important and use to validate the token, it allows parties to establish and verify the authenticity of the token. It cannot prevent reading from other parties for that you to encrypt the token.

JSON web signature follows the RFC-7515 specification.

Signature in pseudocode-

·       alg is the algorithm defined in the header.

·       Secret is shared secret required by HMAC signatures, it is used to verify the signatures authenticity.

Why is JWT used?

Basically, JWT is used for the user authentication and make is safer for the user, when any user logs into the server by using the credentials, a token is generated in the server for that user. That token is stored in the user’s browser for the specific operation, when the user log’s out the token expires. In order to get a new token user needs to login again with his credentials.