Posted Updated  Sahil Ahuja guide2 minutes read (About 360 words)

JWT: JSON Web Token - Passing on the secret without letting the neighours know

Login is still a tough problem! It’s been 5 years since I left coding professionally and still parts of this remain unresolved.

Hello JWT

During my search for a good encrytion system to store user secrets, I came across something very cool - JWT - reminds me of the RSA public/private key encription system - only modified to be much more user friendly for web/mobile development.

JWT creates a token that can be decrypted only by person having a secret key using which it was encrypted. As long the website stores JWT in it’s cookie, the server can decrypt the cookie every time and trust the decrypted content.

This allows us to store sensitive information like user id and user permissions in the cookie. This is a stateless authentication mechanism as the user state is never saved in server memory. The server’s protected routes will check for a valid JWT in the Authorization header, and if it’s present, the user will be allowed to access protected resources. As JWTs are self-contained, all the necessary information is there, reducing the need to query the database multiple times.

Structure of a JWT token

JSON Web Tokens consist of three parts separated by dots (.), which are: Header, Payload, Signature

Header: The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.

Payload: Contains the claims. There are three types of claims: reserved, public, and private

  1. Reserved claims: Set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some of them are: iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
  2. Public claims: These can be defined at will by those using JWTs.
  3. Private claims: These are the custom claims created to share information between parties that agree on using them.

Example payload:

1
2
3
4
5
{
 "sub": "1234567890",
 "name": "John Doe",
 "admin": true
}

Signature: Take the encoded header, encoded payload, a secret, the algorith specified in header and sign that
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

For more details: https://jwt.io/

JWT: JSON Web Token - Passing on the secret without letting the neighours know

https://doku.dev/post/2016/JWT-JSON-Web-Token-Passing-on-the-secret-without-letting-the-neighours-know/

Author

Sahil Ahuja

Posted on

2016-11-23

Updated on

2020-12-21

Licensed under

#

Comments

Follow

Categories

Links

Recents

Archives

Tags

3D1
algorithms1
analytics2
android1
ansible1
arduino1
authentication1
aws1
backup1
bangalore2
bash1
camera4
chat1
chennai1
dalal1
database1
delta3
devops1
digikam3
docker1
docker-compose1
dovecot1
errors1
es62
express1
faridabad2
fds1
fedora9
fun1
git2
gnokii2
goa1
god1
google2
gparted1
gpl2
gradle1
grub1
hexo2
home1
html1
httpd4
hugo2
java2
js2
jwt1
kubernetes1
lan1
ldap5
life2
linux1
linuxmint1
live1
mail1
men1
mobile1
mobx1
nfs1
nitt2
node1
nokia2
octa2
offline1
open source1
opensource1
p2p1
pcbo1
photography1
png1
postfix2
pragyan1
quotes1
rants5
react3
reset1
root2
s31
selinux1
sex1
share1
shortcuts1
spock2
ssl1
stereoscopy1
svn2
tech-team, server-rack, cloud1
test1
testing2
todo1
tools1
trac1
tracking1
trichy1
tshirt1
tutorial1
ubuntu2
unicode1
update1
usb1
web3
webstorm1
women1
worth1
yaml1
yum1

Subscribe for updates

×