Application Security

JWT – Everything you need to know!

BySecumantra Updated:

Welcome to Secumantra! In this post, we are going to understand what exactly is JWT and why JWTs are so popular in web applications these days. So let’s get started –

Introduction and Purpose

JWT stands for JSON Web Token and mainly used in OAuth workflows. These tokens are kind of protected data structures and carries information primarily about token issuer, client claims, expiration time etc.

The most common scenario for JWTs is authentication. Typically client (application) requests a token, issuer (server) issues a token and resource (API) consumes a token. Resource (API) has already established a trust relationship with an issuer. For example – when we try to use some third party app using our Google ID, we are provided a consent form for confirmation and we say ‘Yes’ as we trust Google. It is a type of OAuth 2.0 workflow.

If some terminologies are new to you, don’t worry now. We will discuss these in a separate post.

So JWT has all the information needs to be shared and it is cryptographically signed as well. It is the additional feature which makes it tamper proof. Signing also makes it authentic so that recipient trusts the issuer. It is exactly the same way we used to sign a document and as our signature is unique, the other party trusts the authenticity.

Here is a real life example of a JWT, it is a long string which look like –

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnb29nbGUuY29tIiwiZXhwIjoxNzAzMzAwNTIwMjAsImF1ZCI6Imh0dHA6Ly9zb21lUmVzb3VyY2UiLCJzdWIiOiJTZWN1bWFudHJhIiwiY2xpZW50IjoiYWJjIn0.8YLTpZNvrZsyKq9BHxzcqXKKm1gJWZaWo3uVIFlx2kM

Structure of JWT and How JWT Works

JWT is divided into three parts, mainly two parts as third part is the signature. The core of any JWT is claims. Claims are the JSON data inside the JWT. It’s the data you care about and want to pass along securely to someone else.

  • Header
    • Metadata
    • Algorithms and keys used
  • Claims
    • Issuer
    • Audience
    • Expiration
    • Subject
    • Other custom claims
  • Signature

Let’s try to understand this by an example with JSON format. As JSON is native format for Javascript which is a plus point for JWT and one of the reason of its wide acceptance.

JWT Structure

The header contains the metadata for the token and typically mentions the type and the encryption algorithm. In this example, JWT header declares that the encoded object is a JSON Web Token and it is signed using the HMAC SHA-256 algorithm.

If we do base64 encoding of header part, we have the first part of JWT (string with red color).

In the context of JWT, the claim contains the information we want to transmit, and that the server can use to properly handle JSON Web Token authentication. There are multiple claims we can provide; these include registered claim names, public claim names and private claim names.

Registered claims are not intended to be mandatory but rather to provide a starting point for a set of useful, interoperable claims. Examples are –

  • iss: The issuer of the token
  • sub: The subject of the token
  • aud: The audience of the token
  • exp: JWT expiration time defined in Unix time

If we look at our JWT claims and we do base64 encoding, we have the second part of our JWT (string with green color).

Now the last part – signature! It is generated by combining the encoded header and the encoded payload, and signing it using a strong encryption algorithm, such as HMAC SHA-256. The signature’s secret key is kept with the server so it can verify existing tokens and sign new ones.

encodedSignature = HMACSHA256( base64UrlEncode(header) + “.” + base64UrlEncode(payload), PRIVATE_KEY)

This gives us the final part of our JWT (marked as blue string). Now we have the JWT which can be sent over the wire and can be used by web applications for subsequent calls.

One of the intent is to keep these JWT size is really small so that we can use them mobile workflows as well. It is also equally important in today’s microservices world. Producing and consuming JWT is beyond the scope of this article, but all major platforms have proven libraries to implement JWT in your application.

Summary

JWT is a type of security token (Json Web Token) mainly used in authorization workflows as mentioned by OAuth2.0. JWTs are key aspects to all of the protocols in web application security space today. In this post, we mainly tried to understand the structure and working of JWT.

Although JWT signature provides authentication and keeps JWTs safe from tampering, we need to understand that core data (claims) is just base64 encoded (not encrypted) and can be easily decoded using any free tool. So it is advised to avoid sensitive information being part of payload.

Thank you for reading and will see you in our next discussion. Stay Safe, Stay Secure!

Similar Posts

Application Security | Data Security

Hashing, Encryption, Encoding, and Obfuscation: Understanding the Differences

BySecumantra

In the realm of cybersecurity and data protection, four terms often surface: hashing, encryption, encoding, and obfuscation. While they may seem interchangeable at first glance, each serves a distinct purpose and offers unique advantages and limitations. There is often significant confusion around the differences between encryption, encoding, hashing, and obfuscation. Understanding the differences between these…

Application Security

How to Create a Self-Signed SSL Certificate

BySecumantra

Welcome to Secumantra! In this post we will learn how to generate a self-signed SSL certificate for your website or web service. What is a Self-Signed SSL Certificate? A self-signed certificate is an SSL certificate that has not been validated by a Certificate Authority (CA). It is created by the developer of the application locally and…

Application Security

Securing a web API with Basic Authentication

BySecumantra

In today’s interconnected digital world, securing web APIs is most important. Whether you’re building a small-scale application or a large enterprise system, protecting your API endpoints is crucial for safeguarding sensitive data and maintaining the integrity of your services. One of the simplest yet effective methods for securing a web API is through Basic Authentication….

Application Security | Data Security | OWASP | Vulnerability

OWASP Top 10: Security Misconfiguration

BySecumantra

Welcome to Secumantra! In this post, we’re going to talk about the number six vulnerability from OWASP Top Ten – Security Misconfiguration. We have already covered top five vulnerabilities in our previous posts – injection, broken authentication , sensitive data exposure, XML external entities and broken access control. OWASP (Open Web Application Security Project) is a nonprofit…

Application Security

CSRF Attack and CSRF Tokens

BySecumantra

Welcome to Secumantra! In this post we will understand Cross-Site Request Forgery attack, commonly known as CSRF or XSRF attack. It is one of the common attacks observed for web applications and has been there in OWASP Top Ten for many years. Introduction and OWASP Overview In a CSRF attack an end user’s browser is…