mail Created with Sketch Beta.  hello@figmanetsolutions.com
Transform Your Business Digitally
call [#ffffff] Created with Sketch. +91 9821658272

JSON Web Token - A Signed and Encrypted way of transferring claims

Posted By: Vaishnavi Mall Published: 14, Jan 2024

JSON Web Token - A Signed and Encrypted way of transferring claims


What is JWT?

JSON Web Tokens abbreviated as JWT are a safe and secure way of transferring claims between two or more parties on the internet using JSON objects as tokens. JWT can be easily and quickly transferred through a URL, through a POST parameter, or through an HTTP header because of its small size.
The claims transferred can be easily verified and trusted because they are digitally signed and trusted. The claims are in Javascript Object Notation(JSON) format. They can be encrypted using JSON Web Encryption(JWE) and then can be digitally signed using JSON Web Signature(JSE). The JWS, JWE, JWT are specified respectively in [RFC7515], [RFC7516], [RFC7519].


Why do we need JWT?


While accessing any application on the web the flow goes like this. A client sends an HTTP request to the server and the server processes the request and sends a response accordingly. Let's take a scenario where we have a REST API (GET/users), and you do not want to restrict the usage of this API to only authorized Users. In the most basic approach, you will ask the user to log in by giving some data like email and password, and then you will check your Database for those values if the user exists then he/she will be able to access the API otherwise NOT. The problem with this approach is that the HTTP request is stateless i.e any new request made by the user does not have any information about the last request which means to make any new request first you should get authenticated. This problem was handled in the past using the Server Side Sessions (SSS). For the first time, the user gets authenticated then a session id is saved in the database and sent to the user, from now on for each new request made the session id is passed along with it. This means an overhead an extra query will be made to the database each time a new request is made. Here comes the role of JWT, the JWT can be stored in browser storage or in the cookies hence eliminating any unnecessary queries to the database. Another advantage of JWT over sessions is that session id is just a unique number given to users to get authenticated but JWT is made in such a way that they can store users' data also in them. Let’s see how this is done by looking at the structure of a JWT.


What is the structure of a JWT?

The JSON web-based token consists of three parts separated by dots.

  • Header
  • Payload
  • Signature
So, it basically looks like:


Header

The Header consists of two parts.

  • The type of the token i.e. JWTtype of the token i.e. JWT
  • The signing algorithm being used such as HS256 (HMAC using SHA256) or RS256 (RSA using SHA256).


Payload

The payload contains the claims. Claims are statements about an entity and additional data. There are three types of claims.

  • Registered or Reserved Claims

    These are a set of predefined claims optional but recommended to provide useful compatible information. Some of them are:

    • Subject (sub): Subject of the JWT (the user)
    • Issuer (iss): Issuer of the JWT
    • Expiration time (exp): Time after which the JWT expires
    • Issued at (iat): The time at which the JWT was issued; can be used to determine the age of the JWT.

  • Public claims
  • They can be used by our will but to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision-resistant namespace.


  • Private claims
  • They are the custom claims created by us to share information between those who agreed on using them.


  • Signature
  • The signature is calculated using the encoded header, the encoded payload, a secret key, and the algorithm specified in the header. We take all these values and sign them. It is used to verify that the message is not changed and if the tokens are signed using a private key a signature can also be used to verify that the sender of the JWT is who it says it is.


Best Practices

JWT is a modern and robust way of securing our application. They are used to safeguard our APIs, they are used in adding authorization to our application and they are also a good source of sharing information between parties. But we should always take some precautions while using JWT. Rather than sending them in HTTP headers, we should send them in HTTP cookies, we should set a short duration for their expiration time to add more security to our application.


Let’s Discuss Your Project in Details