JWT Token: A Comprehensive Guide

JWT token (JSON Web Token) is a widely accepted standard (RFC 7519) that provides a compact and self-contained method for securely exchanging information as a JSON object.

The information contained in JWTs can be verified and trusted due to its digital signature. JWT tokens can be signed using a secret with the HMAC algorithm or a public/private key pair using RSA or ECDSA. This cryptographic signing ensures the integrity and authenticity of the JWT, enabling recipients to validate its contents confidently.

JSON Web Token Structure

The JWT token consists of three parts which are separated by dots(.):

1.  Header

 The header of a JWT token primarily provides information about the cryptographic operations applied to the token, such as the signing or encryption technique used. Additionally, it can include details about the media or content type of the information being transmitted.

A simple example of a JWT Header

{

  "alg": "HS256",

  "typ": "JWT"

}

In this example, the header specifies that the JWT uses the HMAC SHA256 algorithm (HS256) for cryptographic operations, and the token type is JWT.

Some JWTs can be created without signature or encryption, making them unsecured tokens. In the header of an unsecured JWT, the value of the "alg" property is set to "none", indicating that no cryptographic algorithm is applied to the token, making it less secure than signed or encrypted JWTs.

{

"alg":" none"

}

2.    Payload

The payload of a JWT is where the user data, also known as "claims", is included. It is important to note that the payload is readable by anyone with access to the token.

Therefore, it is advisable not to include confidential or sensitive information in the payload to maintain security and privacy.

Claims in JWTs can be categorised into three types: reserved, public, and private.

3.    Reserved Claims

These are predefined claims that have specific meanings and are commonly used.

Examples of reserved claims include "iss" (issuer), "exp" (expiration time), "sub" (subject), and "aud" (audience). These claims have standardised interpretations across different systems.

4.    Public Claims

Public claims are custom claims defined by the users or organisations. They are not standardised and can vary based on specific use cases. Public claims help convey additional information relevant to the application or domain.

5.    Private Claims

Private claims are similar to public claims but are specific to a single application or organisation. They are not meant to be shared or understood by other parties. Private claims provide a way to include custom information for internal use within the application or organisation.

{

   "alg": "none"

 }

6. Signature

To create the signature part of a JWT using the HMAC SHA256 algorithm, you need to take the encoded header, the encoded payload, a secret key, and the algorithm specified in the header and then sign them.

HMACSHA(

  base64UrlEncode(header) + ’.’ +

  base64UrlEncode(payload),

  secret)

The benefits of utilising JSON Web Tokens (JWTs)

Below listed are the advantages of JSON Web Tokens (JWT) compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML)

1.   Compactness:

JWT is more compact than SAML due to JSON's concise nature and smaller encoded size, making JWT suitable for HTML and HTTP environments where efficiency is crucial.

2.   Security Options:

SWT can only be symmetrically signed with a shared secret using the HMAC algorithm. In contrast, JWT and SAML tokens can utilise a public/private key pair, such as an X.509 certificate, for signing. However, signing XML with XML Digital Signature can be complex and prone to security vulnerability, whereas signing JSON is simpler.

3.   Easy Integration:

JSON parsers are widely available in programming languages and can directly map to objects. In contrast, XML lacks a natural document-to-object mapping, making JWT easier to work with than SAML assertions.

4.   Broad Usage:

JWT is extensively used on the internet, including widespread adoption across multiple platforms, particularly in mobile environments. The ease of client-side processing contributes to its popularity and originality.

## When should you start using JSON Web Tokens?

1.    Authorization -

JWT is commonly used in scenarios where users need to authenticate and access different services or resources. Once a user logs in, they receive a JWT, which is then included in subsequent requests. This token allows the user to access authorised routes, services, and resources without needing to provide credentials again. JWT is particularly popular in Single Sign-On (SSO) systems because it is lightweight and can be easily used across multiple domains.

2.    Information Exchange -

JSON Web Tokens (JWTs) offer a reliable and secure method of transmitting information between parties. By utilising signature mechanisms, such as public/private key pairs, a JWT token enables verification of the senders' authenticity. The inclusion of a signature covering the header and payload ensures that the content remains unaltered and protected against tampering.

How to utilise JSON Web Tokens in Auth0

In Auth0, JWTs are generated as a result of the authentication process. When a user logs in using Auth0, a JWT token is created, signed, and delivered to the user. Auth0 supports both HMAC and RSA algorithms for signing JWTs. This token is then utilised for authentication and sanction when interacting with APIs, granting access to protected routes and resources.

Additionally, JWTs are employed in Auth0's API v2 for authentication and authorization purposes, replacing the traditional usage of opaque API keys. JWT token offers granular security, enabling the specification of specific permissions within the token, enhancing debuggability, and providing a more flexible authorization mechanism.