RatSec Blog

JWT for Beginners

- Posted in Uncategorized by

JWT for Beginners

1. JWT Overview:

JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims between two parties. JWTs are often used for authentication, information exchange, and authorization in web development.

2. JWT Structure:

  • Header (Base64Url encoded JSON):

    • Contains metadata about the type of token (JWT) and the signing algorithm used.
    • Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
  • Payload (Base64Url encoded JSON):

    • Contains claims. Claims are statements about an entity (typically, the user) and additional data.
    • Common claims: iss (issuer), exp (expiration time), sub (subject), aud (audience), etc.
    • Example: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
  • Signature:

    • Created by hashing the encoded Header and encoded Payload with a secret key using the specified algorithm.
    • Example: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  • JWT Example:

    • Concatenated Header, Payload, and Signature: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0...SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

3. Creating a JWT:

  • Choose a signing algorithm (e.g., HMAC SHA-256) and obtain a secret key.
  • Encode Header and Payload into Base64Url format.
  • Concatenate encoded Header, a dot (.), and encoded Payload.
  • Sign the concatenated string using the secret key to create the Signature.
  • Concatenate the previous string with another dot (.) and the Signature to obtain the final JWT.

4. Verifying a JWT:

  • Split JWT into Header, Payload, and Signature.
  • Base64Url decode the Header and Payload.
  • Verify the Signature using the original Header, Payload, and the secret key.
  • Check claims in the Payload for validation.

5. Use Cases:

  • Authentication:

    • After successful login, a server issues a JWT to be sent with subsequent requests.
  • Information Exchange:

    • Secure transmission of information between parties, often used in API communication.
  • Authorization:

    • Include user roles and permissions in the Payload to control access.

6. Security Considerations:

  • Always use HTTPS to prevent interception of JWTs.
  • Safeguard the secret key; never expose it to clients.
  • Be cautious about storing sensitive information in the Payload.

7. Best Practices:

  • Keep JWTs short-lived; leverage expiration (exp) claims.
  • Consider token revocation mechanisms for added security.