April 28, 2020

#JWT: Part 2 - JWT Structure

What is JWT token?
JWT (JSON Web Token) is a safe, compact, and self-contained way of transmitting information between multiple parties in the form of a JSON object. It is used for authorization.

Structure of JWT
A JSON Web Token consists of three parts header, payload and signature that are separated by a "." These three parts (header, payload and signature) are usually encoded into three Base64-URI strings that are separated by a "." in between them.

JWT Headers Structure and why header is necessary?
Details in payload is validated by the receiver by inspecting the signature. Technical metadata information about the token is placed in a separate Javascript object and sent together with the Payload. That separate JSON object is known as the JWT Header.

The header typically consists of two parts: the token’s type and the hashing algorithm that is being used. e.g
  "alg": "HS256",
  "typ": "JWT"

What does a JWT Payload look like?
The payload of a JWT is just a plain Javascript object, it is where the actual information that we want to send is stored. Here is an example of a simple payload.
  "id": "1008972",
  "first_name": "Himaanshu",
  "last_name": "Shuklaa"

There are no restrictions on the content of the payload. JWT is not encrypted and any information present in it is readable to anyone, who intercepts the token. Therefore it's important not to put in the Payload any user information that an attacker could leverage directly.

Purpose of Signature in Authentication
Signature is the last part of JWT, which is a Message Authentication Code (or MAC). It is generated by using a a private key, so it can only be produced by someone in possession of both the payload, header and a given secret key.

When the user submits the username and password, the request is send to Authentication server via our Application server.

After validation, the Authentication server generates the JWT token using the secret key.

With all the subsequent request this JWT token is send in the header (format: Authorization: Bearer ). The signed JWT acts effectively as a temporary user credential, that replaces the permanent credential (combination of username and password). Application server checks the JWT signature and confirms that indeed someone in possession of the secret key signed this particular Payload.

Subject and Expiration
We can add the expiry time along with the user information in payload. e.g:

  "id": "1008972",
  "first_name": "Himaanshu",
  "last_name": "Shuklaa",
  "iss": "Identifier of the authentication server",
  "iat": 19709709, 
  "sub": "github|387987698",
  "exp": 1504897256

Above payload has some standard properties.
  • iss: Is means the issuing entity, in this case, our authentication server
  • iat: It is the timestamp of creation of the JWT (in seconds since Epoch)
  • sub: It contains the technical identifier of the user
  • exp: It contains the token expiration timestamp
ALSO CHECK: Posts Related To Spring Security

-K Himaanshu Shuklaa..

No comments:

Post a Comment

RSSChomp Blog Directory