- It is an open standard (RFC 7519) — be aware that all JWTs are tokens, but not all tokens are JWTs.
- It is a compact and self-contained way for securely transmitting information between parties as a JSON object.
- Since JSON is less verbose than XML, JWT ise preferred over Security Assertion Markup Language (SAML) tokens for the processing simplicity.
- JWTs can be digitally signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA to also verify the integrity and source of the data. JWTs can also be encrypted.
- A JWT consists of 3 parts that are separated with “.” dots:
Header: a Base64Url encoded JSON that consists of 2 parts: the type of the token (“JWT”), the signing algorithm used (“HMAC SHA256 or RSA”).
Payload: a Base64Url encoded JSON that contains Claims — statements about an entity (typically, the user) and additional data.
Signature: Signed encoded header, encoded payload with a secret and the algorithm specified in the header.
You can use https://jwt.io/#debugger-io as a playground to test JWT tokens for both encode and decode operations.
JWT claim convention
There are seven claims that are not required, but are recommended to allow interoperability with third-party applications. All possible claims are listed and described here.
iss(issuer): Issuer of the JWT
sub(subject): Subject of the JWT (the user)
aud(audience): Recipient for which the JWT is intended
exp(expiration time): Time after which the JWT expires
nbf(not before time): Time before which the JWT must not be accepted for processing
iat(issued at time): Time at which the JWT was issued; can be used to determine age of the JWT
jti(JWT ID): Unique identifier; can be used to prevent the JWT from being replayed (allows a token to be used only once)
It provides a stateless authentication mechanism. When a user successfully logs in using their credentials, an ID token is returned (for OpenID Connect (OIDC), it is a JWT).
After a successful login, an application may request to access routes, services, or resources (e.g., APIs) on behalf of that user.
To do so, in every request, it must pass an Access Token (in the form of a JWT).
The user agent should send the JWT, typically in the Authorization header (prevent them from getting too big in size) using the Bearer schema.
Authorization: Bearer <token>Single Sign-on (SSO) also widely uses JWT because of the small overhead of the format, and its ability to easily be used across different domains.
- Information Exchange
Because of JWTs security features (they can be signed and verified that the content hasn’t been tampered with), JWTs are a good way of transmitting information between parties.
- Simple implementation.
- You can create and verify the tokens on the fly without a need to store them in the database. It is popularly used as a client-side-based stateless session, this means the server doesn’t have to completely rely on a data store (or) database to save session information.
- A popular way to authenticate/authorize users in a microservice architecture (in large distributed systems).
- a specifically isolated “authorization” microservice that can create these tokens.
- other microservices can just have the public key to verify the signature of the tokens.
- The need to query the database for certain further operations may be reduced (with the help of the data sent in payload).
- No way to log out or invalidate sessions for users.
- No way for a user to disable their sessions across multiple devices.
- Dependent on one secret key. If the secret key is compromised, the attacker can spoof any user’s identity. We can reduce this risk by changing the secret key from time to time.
Some Details About Abbreviations Used Above
OpenId allows you to use an existing account to sign in to multiple websites, without needing to create new passwords.
You can associate information with your OpenID that can be shared with the websites you visit, such as a name or email address (you can limit what & how much to share with each website).
Your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit. Other than your provider, no website ever sees your password.
SAML — Security Assertion Markup Language is an XML-based open-standard for exchanging authentication and authorization information between two parties: an identity provider (IdP) and a service provider (SP).
Identity Provider — Performs authentication and passes the user’s identity and authorization level to the service provider.
Service Provider — Trusts the identity provider and authorizes the given user to access the requested resource.
HMAC — Hash-based Message Authentication Code is a type of a message authentication code (MAC) that is acquired by executing a cryptographic hash function on the data and a secret shared key. Like any of the MAC, it is used for both data integrity and authentication.
RSA algorithm is an asymmetric (that works with a public and a private key) cryptography algorithm. The public key consists of two numbers where one number is a multiplication of two large prime numbers. The private key is also derived from the same two prime numbers.