JWT introduction

Time:2020-11-6

This article is translated from the official website of JWT to introduce what JWT is and what it can do.

JWT is a concise and URL safe declarative specification for transmitting security information between two parties. As an open standard (RFC 7519), JWT defines a concise, self-contained method for the safe transmission of information between two parties in the form of JSON objects. Because of the existence of digital signature, the information is trusted. JWT can use HMAC algorithm or RSA public private key pair to sign.

  • Compact: it can be sent through URL, post parameter or HTTP header, because the amount of data is small and the transmission speed is very fast

  • Self contained: the load contains all the information needed by users, avoiding multiple queries to the database

Main application scenarios of JWT

  • identity authentication
    In this scenario, once the user has completed the login, JWT is included in each subsequent request, which can be used to verify the user’s identity and the access rights of routes, services and resources. Because of its low cost, it can be easily transmitted in different domain name systems, so it is widely used in single sign on (SSO).

  • information switching
    JWT is a very secure way to encode data between the two sides of communication. Because its information is signed, it can ensure that the information sent by the sender is not forged.

Structure of JWT

JWT includes the use of.Three separate parts:

  • Header head

  • Payload load

  • Signature

The structure looks like this

xxxxx.yyyyy.zzzzz

Header

The header usually contains two parts: token type and encryption algorithm.

{
  "alg": "HS256",
  "typ": "JWT"
}  

Next, use theBase64UrlThe coding forms the first part of the JWT structure.

Payload

The second part of token is payload, which contains claim. Claim is the state of some entities (usually referred to as users) and additional metadata. There are three types of claims:reserved, publicandprivate.

  • Reserved claims: these claims are pre-defined by JWT, and they are not mandatory in JWT, but are recommendedISS (issuer), Exp (expiration time stamp), Sub (user oriented), Aud (receiver), IAT (issuing time)

  • Public claims: define your own fields as needed, and be careful to avoid conflicts

  • Private claims: These are custom fields that can be used to exchange information between two parties

Examples of load usage:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

The above load needs to pass throughBase64UrlThe coding is the second part of JWT structure.

Signature

To create a signature, we need to use the encoded header, payload and a secret key, and use the signature algorithm specified in the header to sign. For example, if you want to use the HMAC sha256 algorithm, the signature should be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)  

The signature is used to verify the sender of the message and that the message has not been tampered with.

Complete JWT

The output in JWT format is.Compared with XML based standards such as SAML, JWT is easier to transfer in HTTP and HTML environments.

The following JWT shows a complete JWT format that splices the previous header, payload, and secret key signature:

JWT introduction

How to use JWT?

After logging in to the user, the user can use a cookie stored in the local system, which can only be used to store a cookie in the local system.

When a user wants to access a protected route or resource, it should be in theAuthorizationHead useBearerMode adds JWT, and its content looks like this:

Authorization: Bearer <token>

Because the user’s state is not stored in the server‘s memory, this is aStatelessAuthentication mechanism. The protected route on the server side will check the request headerAuthorizationJWT information in, if legal, allows user behavior. Since JWT is self-contained, it reduces the need to query the database.

These features of JWT make it possible to provide data API services or even create a download stream service depending on its stateless features. Because JWT does not use cookies, you can use any domain name to provide your API services without worrying about cross domain resource sharing (CORS).

The following sequence diagram shows the process:

JWT introduction

Why use JWT?

Compared with XML format, JSON is more concise and smaller after encoding, which makes JWT more concise than SAML and more suitable for transmission in HTML and HTTP environments.

In terms of security, SWT can only use HMAC algorithm and shared symmetric secret key for signature, while JWT and SAML token can use X.509 authenticated public-private key pair for signature. Compared with simple JSON, XML and XML digital signatures introduce complex security vulnerabilities.

Because JSON can be directly mapped to objects, a JSON parser is provided in most programming languages, while XML does not have such a natural document object mapping relationship, which makes it more convenient to use JWT than SAML.


Introduction to JSON web tokens