JSON Web Tokens Explained

What is JSON Web Token (JWT)?

JWT is an open standard that defines a compact and self-contained way to transmit information securely between two parties as a JSON object. Information transmitted using JWT is digitally signed, so you can trust this information.

How JSON Web Tokens are signed?

You can sign a JWT in the following ways:

• Using a secret key (using the HMAC algorithm)
• With public/private key pair using RSA or ECDSA.

Notes:
Signed tokens can easily verify the integrity of the claims contained inside it, while encrypted tokens can hide those claims from other parties.
When JSON Web Tokens are signed using a public/private key pairs, the signature certifies that only the party holding the private key is the one who signed it.

When should we use Json Web Tokens?

We can use JWT in the following scenarios:

For Authorization Purpose

Most commonly JWT is used for authorization purpose. Once user has been logged in and JWT has been issued, each subsequent request will contain the JWT that will allow user to access all permitted services, routes, and resources with that token.

For Exchanging Information

JWT is a very good and secure way of transmitting information between parties. As you can sign JWT, you can identify the valid senders. Additionally, you can also verify that content has not been modified because signature is calculated using header and payload.

Structure of JSON Web Token

In its compact form, JWT is built up of three different parts separated by dots (.): These parts are as follows:

• Header - Consists of signing algorithm and type of the token.
• Payload - Contains the claims.
• Signature - Contains encoded header, encoded payload, a secret, and specified algorithm.

Below is the sample example of a JWT:

eyJhbGciOiJIUzI1Ni.eyJzdWIiOiIxMjM0NTY3ODkwIiwi.SflKxwRJSMeKKF2QT4fwpMe

1. JWT HEADER

The JWT header is the first part of the JWT and typically contains two parts:

• Signing Algorithm - Specifies the signing algorithm to be used, such as HMAC SHA256 or RSA.
• Token Type - Specifies the type of the token, that is JWT.

Sample JWT Header Example:

{
    "alg": "HS256",
    "typ": "JWT"
}

The above JSON is Base64Url encoded to form the very first part of the JSON Web Token.

2. JWT PAYLOAD

The JWT payload is the second part of the JWT that conatains the claims. Claims are just statements about the user and additional data. JWT claims are of three types:

Registered Claims - These claims are the set of predefined claims which are recommended but not mandatory. These claims offers a set of useful, interoperable claims. Few fo them are: exp (expiration time), sub (subject), iss (issuer), and others.

Note: registered claim names are only 3 characters long.

Public Claims - These claims are defined at will by those who using Json Web Tokens. But to avoid collisions they should be defined as a URI which contains a collision resistant namespace or can should be defined in the IANA JSON Web Token Registry.

Private Claims - These claims are the custom claims that are created to share information between parties that agree on using them and they are neither registered or public claims.

Sample JWT Payload Example:

{
    "sub": "1234554321",
    "name": "Madhav Murari",
    "email": "murari@example.com",
    "verified": true
}

The above JSON is Base64Url encoded to form the second part of the JWT.

3. JWT SIGNATURE

JWT signature is made of following parts:

• Base64Url Encoded Header
• Base64Url Encoded Payload
• A Secret Code
• The Algorithm Spefied in the Header

You have to take all these data and sign that to form JWT signature.

Sample JWT Signature Example using HMAC SHA256 Algorithm:

HMACSHA256(
    base64UrlEncode(header) + "." +,
    base64UrlEncode(payload),
    secret
)

This signature is used to verify that the message has not been changed. Also, if the token has been signed with a private key, you can verify the sender of the JWT.

Conclusion:

The final JWT is a three Base64-URL strings separated by dots whcih can be easily in HTTP and HTML environments.