JWT Token: A Comprehensive Guide
by Muskan Verma
JWT token (JSON Web Token) is a widely accepted standard (RFC 7519) that provides a compact and self-contained method for securely exchanging information as a JSON object.
The information contained in JWTs can be verified and trusted due to its digital signature. JWT tokens can be signed using a secret with the HMAC algorithm or a public/private key pair using RSA or ECDSA. This cryptographic signing ensures the integrity and authenticity of the JWT, enabling recipients to validate its contents confidently.
JSON Web Token Structure
The JWT token consists of three parts which are separated by dots(.):
The header of a JWT token primarily provides information about the cryptographic operations applied to the token, such as the signing or encryption technique used. Additionally, it can include details about the media or content type of the information being transmitted.
A simple example of a JWT Header
In this example, the header specifies that the JWT uses the HMAC SHA256 algorithm (HS256) for cryptographic operations, and the token type is JWT.
Some JWTs can be created without signature or encryption, making them unsecured tokens. In the header of an unsecured JWT, the value of the "alg" property is set to "none", indicating that no cryptographic algorithm is applied to the token, making it less secure than signed or encrypted JWTs.
The payload of a JWT is where the user data, also known as "claims", is included. It is important to note that the payload is readable by anyone with access to the token.
Therefore, it is advisable not to include confidential or sensitive information in the payload to maintain security and privacy.
Claims in JWTs can be categorised into three types: reserved, public, and private.
3. Reserved Claims
These are predefined claims that have specific meanings and are commonly used.
Examples of reserved claims include "iss" (issuer), "exp" (expiration time), "sub" (subject), and "aud" (audience). These claims have standardised interpretations across different systems.
4. Public Claims
Public claims are custom claims defined by the users or organisations. They are not standardised and can vary based on specific use cases. Public claims help convey additional information relevant to the application or domain.
5. Private Claims
Private claims are similar to public claims but are specific to a single application or organisation. They are not meant to be shared or understood by other parties. Private claims provide a way to include custom information for internal use within the application or organisation.
To create the signature part of a JWT using the HMAC SHA256 algorithm, you need to take the encoded header, the encoded payload, a secret key, and the algorithm specified in the header and then sign them.
base64UrlEncode(header) + ’.’ +
The benefits of utilising JSON Web Tokens (JWTs)
Below listed are the advantages of JSON Web Tokens (JWT) compared to Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML)
JWT is more compact than SAML due to JSON's concise nature and smaller encoded size, making JWT suitable for HTML and HTTP environments where efficiency is crucial.
2. Security Options:
SWT can only be symmetrically signed with a shared secret using the HMAC algorithm. In contrast, JWT and SAML tokens can utilise a public/private key pair, such as an X.509 certificate, for signing. However, signing XML with XML Digital Signature can be complex and prone to security vulnerability, whereas signing JSON is simpler.
3. Easy Integration:
JSON parsers are widely available in programming languages and can directly map to objects. In contrast, XML lacks a natural document-to-object mapping, making JWT easier to work with than SAML assertions.
4. Broad Usage:
JWT is extensively used on the internet, including widespread adoption across multiple platforms, particularly in mobile environments. The ease of client-side processing contributes to its popularity and originality.
## When should you start using JSON Web Tokens?
1. Authorization -
JWT is commonly used in scenarios where users need to authenticate and access different services or resources. Once a user logs in, they receive a JWT, which is then included in subsequent requests. This token allows the user to access authorised routes, services, and resources without needing to provide credentials again. JWT is particularly popular in Single Sign-On (SSO) systems because it is lightweight and can be easily used across multiple domains.
2. Information Exchange -
JSON Web Tokens (JWTs) offer a reliable and secure method of transmitting information between parties. By utilising signature mechanisms, such as public/private key pairs, a JWT token enables verification of the senders' authenticity. The inclusion of a signature covering the header and payload ensures that the content remains unaltered and protected against tampering.
How to utilise JSON Web Tokens in Auth0
In Auth0, JWTs are generated as a result of the authentication process. When a user logs in using Auth0, a JWT token is created, signed, and delivered to the user. Auth0 supports both HMAC and RSA algorithms for signing JWTs. This token is then utilised for authentication and sanction when interacting with APIs, granting access to protected routes and resources.
Additionally, JWTs are employed in Auth0's API v2 for authentication and authorization purposes, replacing the traditional usage of opaque API keys. JWT token offers granular security, enabling the specification of specific permissions within the token, enhancing debuggability, and providing a more flexible authorization mechanism.
Muskan Verma is a talented content writer and enthusiastic crypto investor. With a knack for creating engaging and informative content, she weaves words to captivate readers and deliver valuable insights. Beyond her writing skills, Muskan Verma is deeply immersed in the world of cryptocurrencies, constantly exploring investment opportunities and staying aware of market trends.