How JWT Works
Overview
JWT stands for JSON Web Token and it is an open standard for passing security information between a server and a client. It is primarily used in web applications. Following methods can be used to send a JWT token:
- Part of the URL (Query string)
- Form body parameter
- Cookie
- HTTP Header(x-access-token)
After the server authenticates the client and it issues a JWT token to the client. Then all the subsequent requests from client to server can be authenticated by using this token. JWT is self-contained meaning it carries all the information related to security within itself. JWT is a JSON object. It is used in a single sign-on context. Let’s see what this means. Suppose you have multiple websites and want to authenticate a user to access all these websites. You can get the user authenticated using one website and have the same token to allow access to the rest of the other websites.
JWT Structure
JWT consists of three parts separated by dots.
- Header
- Payload
- Signature
All these sections are base64 encoded.
Header
The header usually has 2 sections in the form of a JSON object.
typ: Set to JWT
alg: hashing algorithm (HS256, RS512, ES384, etc.)
Payload
Contains all the information that is needed to be sent from client to server or vice versa. This information is called claims which are just key-value pairs.
- iss: issuer
- sub: subject
- aud: audience
- exp: expiration time
- iat: issued at
- jti: JWT id
Apart from the mentioned claims user can have their own custom claims as long as they are not conflicting with the above pre-defined claims. Since this information is not encrypted (only decoded) they are visible to the public. But this information cannot be altered or modified. If something is changed the token becomes invalid.
Signature
The hash value of the encoded header and encoded payload is contained in the signature. This information is hashed using a secret.
In summary, JWT = header + payload + signature
var s = base64Encode(header) + “.” + base64Encode(payload);var signature = hashAlgHs256(s, ‘secret’);var jwt = s + “.” + base64Encode(signature);
So, if any party tampers with the header or the payload, there would be a mismatch with the signature. (Signature is the hash of the true header and true payload). Hash of the tampered header or payload is mismatched with the signature. Therefore, the token becomes invalid.
How JWT operates
Let’s see how JWT works in the real world.
Step 1: Client authenticates itself to the server by providing credentials and requesting a token
Step 2: Check the credentials and if they are valid generate the JWT
Step 3: Send the JWT to the client (If the credentials passed in step 2 is incorrect send an error message)
Step 4: Verify token (optional) to check whether the token is valid, extract information and use in the application usage (optional) and persist the token at the client-side
Step 5: Re-use the persisted token for subsequent requests without sending authenticating credentials every time
Step 6: For each client, request verify the token by the server
Step 7: If the token is valid send the results that the client requested or respond with an error
