JWT – Security with Simplicity

Posted on by Vinod Surendran

I think you will spend 120 seconds reading this post

Reading time : [est_time]

In today’s world , security is the prime priority.

Throughout the evolution of computers, security also evolved from simple password based authentication to multi factor based authentication, from simple text encryption to two key encryption.  The latest in this evolution is JWT (JSON Web Tokens), which handles secure message passing between two clients / parties.

Why we need JWT ?

In a normal token based authentication, a token is granted for a authenticated user. All the subsequent service calls uses this token and identifies the user. The identification process takes place at server where this token is validated against a token store data. Same is the case for a SAML authentication. The idea of JWT is to make this token self contained with out loosing the compact nature. So the identity will also lies with in the token . This will reduce the time to look up in the token store and also makes the program code straight forward.

How JWT Works ?

JWT has got three parts; a header, a payload and a signature separated by a dot(.) .

A typical JWT token looks like

xxxx.yyyy.zzzz

<header>.<payload>.<signature>

1. Header

The header consist of two parts. The type of the token which is  JWT and the hashing algorithm used eg: HMAC SHA256 or RSA. This JSON block is base64URL encoded.

{ 
 "alg": "HS256",
 "typ": "JWT" 
}

2. Payload

This section contains the information of the user with the associated meta data. The payload can also store relevant information as per the context. It is advised to make it short as possible (avoid using long key values).

Like the header the payload is also base64URL encoded.

{
 "name" : "Peter",
 "id" : "S190F34"
}

3. Signature

To create a signature, take the header and the payload and sign it using the mentioned algorithm with a secret.

It will look like this.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Secret can be any string agreed between the two parties. The signature is used to verify the authenticity of the message.

Finally the JWT will look like 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiUGV0ZXIiLCJpZCI6IlMxOTBGMzQifQ.ZHMsgv28QW3wt3cnyd3pAF3Uzyw0dbzmKF9nZfH9rS8

More details about JWT can be found at https://jwt.io/introduction/. You can use the jwt.io debugger to generate, decode and verify the tokens.

Related Post

Leave a Reply

Your email address will not be published. Required fields are marked *