A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a way for securely transferring information between two parties. It can be used for an authentication system. As this information is digitally signed, it can be verified and trusted.
The jwt token is mainly composed of header, payload, and signature. These three parts are separated by dots(.). JWT defines the structure of information we are sending from one party to another, and it comes in two forms — Serialized, Deserialized. The Serialized approach is used to transfer the data through the network with each request and response and the deserialized approach is used to read and write data to the web token.
1. Header:
A header in a JWT describes the operations that are applied to the JWT like signing/de-signing technique used on it. It also contains the data about the media/content type of the information that we are sending. Then to form the first part of the JWT, this JSON is Base64Url-encoded.
The header of a JWT looks like below:
{
"typ": "JWT",
"alg": "HS256"
}
The header of jwt consists of two parts: the type of token, which is JWT here, and the hashing algorithm such as HMAC, SHA256, or RSA.
2. Payload:
The payload is the second part of the jwt token. This contains all the user data. This data here is also referred to as the ‘claims’ of the JWT. This information is readable by anyone so it is always better to not using any confidential information here.
An example of the payload:
{
"sub": "1234567890",
"name": "Akshata Waghe",
"email": "[email protected]"
}
The above JWT contains sub, name, and email, etc. All these play a different role as ‘sub’ stands for the subject, and ‘email’ is for the email address of the user.
3. Signature:
This is the third part of JWT and used to verify the authenticity of the token. BASE64URL encoded header and payload are joined together with a dot(.) and it is then hashed using the hashing algorithm defined in a header with a secret key. This signature is then appended to the previous header and payload using dot(.) which then forms the actual token header.payload.signature
Example:
HMACSHA256(
base64UrlEncode(header) + "."
base64UrlEncode(payload)
secret
)
The following shows a JWT that has signed with a secret:
There are multiple ways to allow a service to be used securely. JSON web tokens are one of them, although there are limitations to the security that JSON web tokens provide. JSON Web Tokens(JWT) is a way of representing claims securely between two parties. It is known to be secure because the JWT can be signed using a secret or public/private key.
A very common use of a JWT token is an API authentication mechanism.
The idea behind it is simple. You get a secret token from the server after authentication and you use that secret token with your request so that the server will know that you are the specific client.
Note: Store JWTs securely.
We should store a JWT in a safe place inside the user’s browser. If we store it inside localStorage, it’s accessible by any script inside our page.
JWT is secure, but at the same time, it is less secure. For example, JWT is more vulnerable to hijacking and has to be designed to prevent hijacking. An unexpired JWT can become a security risk. In case if you are using weak encryption then the token signature might get compromised. This vulnerability doesn’t exist with sessions.
If you want to play with JWT, you can use jwt.io
I hope this helps!