JSON Web Token: Difference between revisions

From Rice Wiki
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
'''JSON Web Token''' (JWT) allows client to indicate its identity for further exchanges after authentication.
'''JSON Web Token''' (JWT) is a string composed by the server and stored on the browser that allows client to indicate its identity for further exchanges after authentication (authorization).


* It is compact and self-contained
JWT base64 string consisting of a header for metadata, a payload for session information, and a signature to ensure that the JWT is not tampered by anyone. The specifics would be covered in the ''Structure'' section.
* It can be signed with a secret (HMAC) or a public/private key pair (RSA)


It looks something like this<pre>
Notably, JWT is compact and self-contained in contrast to traditional session management. It is a way to operate a stateless server. That is, no session information would be stored on the server, as everything is encoded in the JWT. More advatanges will be in the ''Advantages'' section.
 
JWT's main use is for user authorization. More on that in the ''Authorization'' section.
 
= Structure =
A JWT look something like this<pre>
[Base64(HEADER)].[Base64(PAYLOAD)].[Base64(SIGNATURE)]
[Base64(HEADER)].[Base64(PAYLOAD)].[Base64(SIGNATURE)]
</pre><pre>
</pre><pre>
Line 10: Line 14:
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ
</pre>It is a way to operate a stateless server.
</pre>The '''header''' contains the type of the token (JWT) and the algorithm used to ''sign'' it. It is encoded in ''Base64Url.'' The next two sections is a bit more complicated.
 
== Payload ==
The '''payload''' contains the session information that the server needs, encoded in ''Base64Url'' similar to the header.
 
The payload is composed of '''claims''': statements about an entity and additional data. There are three types of claims.
 
* '''Registered claims''' are sets of predefined, generally useful, but optional claims. This include '''iss''' (issuer), '''exp''' (expiration time), '''sub''' (subject), '''aud''' (audience), and others.
* '''Public claims''' are stuff defined by us. While not required, the claims should be defined in the [https://www.iana.org/assignments/jwt/jwt.xhtml IANA JWT registry] to avoid collisions.
* '''Private claims''' are custom claims to share information between people who uses the token.
 
Public claims are required to be ''universally collision resistance'', whereas private claims do not.
 
== Signature ==
The '''signature''' of the JWT is used to verify that the JWT is not tampered with.
 
The signature is produced by putting the header and the payload through a signing algorithm with a secret key.
 
To check the signature, the process would be repeated once the server receives the JWT. If the signature matches the one on the JWT, then the JWT has not been tampered with. This works because without the secret key, there is no way a malicious user can find the value output by the signing algorithm.
 
== All together ==
Lastly, the header, the payload, and the signature are concatenated together with periods to form a single Base64 string.
 
= Advantages =
JWT has several advantages over other authorization methods.
 
* '''Compact:''' A JWT is very small after being encoded
* '''Secure:''' JWT's can use public/private key pairs. I'm not too familiar with this part.
* '''Usage:''' A JWT easily maps to an object, making it easy to use in most programming languages.
* '''Stateless''': The state of the user (i.e. session information) is stored within the JWT, not the server. This allows for shared session information between servers.
 
= Authorization =
There is no hard rule on how to use JWT tokens for authorization. This is only one of the options.
 
After authentication (the user logs in), a JWT is returned by the server. When the user wants to access a protected route, they would attach this token in the ''Authorization'' header:<pre>
Authorization: Bearer <token>
</pre>


= Sources =
= Sources =
Line 16: Line 56:
* https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
* https://cheatsheetseries.owasp.org/cheatsheets/JSON_Web_Token_for_Java_Cheat_Sheet.html
* https://jwt.io/
* https://jwt.io/
[[Category:Cybersecurity]]

Latest revision as of 21:33, 27 April 2024

JSON Web Token (JWT) is a string composed by the server and stored on the browser that allows client to indicate its identity for further exchanges after authentication (authorization).

JWT base64 string consisting of a header for metadata, a payload for session information, and a signature to ensure that the JWT is not tampered by anyone. The specifics would be covered in the Structure section.

Notably, JWT is compact and self-contained in contrast to traditional session management. It is a way to operate a stateless server. That is, no session information would be stored on the server, as everything is encoded in the JWT. More advatanges will be in the Advantages section.

JWT's main use is for user authorization. More on that in the Authorization section.

Structure

A JWT look something like this

[Base64(HEADER)].[Base64(PAYLOAD)].[Base64(SIGNATURE)]

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

The header contains the type of the token (JWT) and the algorithm used to sign it. It is encoded in Base64Url. The next two sections is a bit more complicated.

Payload

The payload contains the session information that the server needs, encoded in Base64Url similar to the header.

The payload is composed of claims: statements about an entity and additional data. There are three types of claims.

  • Registered claims are sets of predefined, generally useful, but optional claims. This include iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
  • Public claims are stuff defined by us. While not required, the claims should be defined in the IANA JWT registry to avoid collisions.
  • Private claims are custom claims to share information between people who uses the token.

Public claims are required to be universally collision resistance, whereas private claims do not.

Signature

The signature of the JWT is used to verify that the JWT is not tampered with.

The signature is produced by putting the header and the payload through a signing algorithm with a secret key.

To check the signature, the process would be repeated once the server receives the JWT. If the signature matches the one on the JWT, then the JWT has not been tampered with. This works because without the secret key, there is no way a malicious user can find the value output by the signing algorithm.

All together

Lastly, the header, the payload, and the signature are concatenated together with periods to form a single Base64 string.

Advantages

JWT has several advantages over other authorization methods.

  • Compact: A JWT is very small after being encoded
  • Secure: JWT's can use public/private key pairs. I'm not too familiar with this part.
  • Usage: A JWT easily maps to an object, making it easy to use in most programming languages.
  • Stateless: The state of the user (i.e. session information) is stored within the JWT, not the server. This allows for shared session information between servers.

Authorization

There is no hard rule on how to use JWT tokens for authorization. This is only one of the options.

After authentication (the user logs in), a JWT is returned by the server. When the user wants to access a protected route, they would attach this token in the Authorization header:

Authorization: Bearer <token>

Sources