Introduction to JWT authentication
What is JSON Web Token (JWT)?
If you Google it, probably the results will be too scientific and abstract to understand. So, let’s explain simply what JWT is:
JWT is an open standard (1. RFC 7519) based on JSON format. It is used to transfer authentication’s data in client-server applications created by the server, sent to the client. Subsequently, the client uses the JWT token to verify identity.
JWT token structure
To put it simply – JWT is a string in the following format: header.payload.signature
The first 2 have a JSON-like structure. The third element is calculated based on the first and depends on encryption. If encryption is “none” - the signature is missing.
Let’s move from the theoretical part to the examples:
An application uses JWT web token to verify user authentication as follows:
Consider the first part of the JWT - Header:
It contains only information describing the token itself. The header describes cryptographic operations applied to a web token.
alg: algorithm used for signing / encryption // this key is required
typ: token type // must be JWT
cty: content type
Payload is the following:
The second part of the JWT token indicates user information. For example 'email@example.com'. Service keys may also be used, which are optional.
iss: string or URI, token publisher. cases-sensitive.
sub: string or URI, which also cases-sensitive. described object
aud: array of cases-sensitive strings or URI. If the receiving token side (server) is on in this list, it will ignore the token
exp: date of expiration
iat: time of creation
jti: JWT ID
In this article (2) you can find a complete list of information.
The 3rd part, as noted earlier, may be absent if the token is not signed:
The serialization process consists of coding all 3 parts of the JWT token (or only Header and Payload, if signature is missing).
Coded by an algorithm base64url(3)
In the code it can be represented as follows:
To decode a token, simply split it into points and convert the header and payload from the base64url code back to the string. An example of the code that does it:
There are many libraries that work with JWT web tokens. For example, consider one of them - jsonwebtoken(4) :