3 © FOLLOW TO LEARN MORES < a JWT JSON Web Token : e @nishasingla05 9QyWhat is JWT? ¢ AJSON Web Token (JWT), pronounced ‘jot’, is an open standard (RFC 7519) which is used for securely transmitting information between entities as a JSON object e It is a quick and safe means to transfer information over the network. e The fact that JSON Web Token is digitally signed using a secret or public/private key combination e JWT is a particularly useful for API authentication and server-to-server authorization. A @nishasingla0s ezStructure of JWT ¢ JWT structure is divided into 3 parts and separated by dots(.) ¢ This Entire JWT is embedded ina type of string These are 3 parts of JWT e Header e payload ¢ signature JWT will look something like this: taaa.taaa.tadaaaStructure of JWT 1.Headers :Usually, headers are first part in JWT’s which consist of Algorithm used to encode JWT and type of the token which is JWT by-default. 2.Payload: Payload section is the middle part of JSON web tokens, which consists of User Data, which is passed between Client and Server. . Signature: Signature is the third part of the JWT which is created by server, and used to validate the requests, done by the user. To create the signature, the base- 64 encoded header and payload are taken, along with a sesret key and signed with algorithm specified in the header. wExample Actual JWT will look something like this: eyJhbGciOiJIUzZI1NiIsInR5cCI6IkpXVCIJ9.eyJzdWIiOiIxMjMONTY3ODkwliwibmFtZ Sl6IkpvaG4gRG9lliwiaWFOljoxNTE2MjM5MDIyfQ. sfliconRISMekKF2QTAfwwpMedt36POk6yOV_adosswse Decoded JWT HEADER:ALGORITHM & TOKEN TYPE { PAYLOAD:DATA “alg": "HS256", typ": "JWT" { i "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } VERIFY SIGNATURE HMACSHA256( base64UrlEncode(header) +"." + base64UrlEncode(payload),jwt.io(debugger) jwt.io is the debugger that can help you to decode and verify the JWT https://jwt.io/ + SINE Co Encoded Decoded eyJhbGei0iJIUZT1NiIsInR5cCI6 TkpXVCJ9 0iTxMjMeNTY encoded G Signature Verified A @nishasingla0s ex=—When to use JWT? JSON Web Tokens are extremely useful in below scenarios: e Authentication: o When auser successfully logs in using their credentials, an ID token is returned. © According to the OpenID Connect (OIDC) specs, an ID token is always a JWT. ¢ Authorization: © Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token. © Information Exchange: © JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be sure that the senders are who they say they are.Advantages ¢ Compactness: JSON is less verbose than XML, and because of this, when it is compressed, JWT is more space-efficient than SAML. No need of Cookies: The token can be stored in the localStorage, indexDB, or some native store. This will provide a protection against CORS and CSRF attacks. Built-in Expiration: The JWT has claims that can be used to assign it a expiration date/time. Therefore, the token can become invalid on its own after the expiration period.