JSON Web Tokens (JWTs) are a compact, URL-safe means of representing claims to be transferred between two parties. These claims are often used to ensure the integrity and authenticity of information.
This article explores how JWTs work. We will look at the structure of a JWT, which consists of three encoded and digitally signed parts. We will then discuss common use cases for JWTs and review some of the benefits of using them,
The Structure of a JWT(With Example)
A JSON Web Token (JWT) consists of three parts separated by dots: Header, Payload, and Signature. The overall structure is:
xxxxxxxxxx.yyyyyyyyyy.zzzzzzzzzz
Header:
- The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Example Header (base64 encoded):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload:
- The payload contains claims. Claims are statements about an entity (typically, the user) and additional data.
- There are three types of claims: registered, public, and private claims.
- Example Payload (base64 encoded):
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature:
- To create the signature part, you need to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.
- The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.
- Example Signature:
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Putting it all together:
Header: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
Payload: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
Signature: HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)
Encoded JWT:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwia
The Benefits of using JWT:
JWTs contain JSON objects that are encoded and signed, ensuring integrity and authenticity without relying on stateful sessions on the server.
Some of the key benefits that make JWTs useful are:
- Compact size from URL-safe JSON encoding for space efficiency
- Self-contained with all necessary user information to avoid excessive database queries
- Digital signatures for tamper-proof security and authenticity verification
- Stateless nature to improve scalability by removing server-side sessions
- Universal interoperability with JSON parsers available in most languages
- Extensible via custom data fields without breaking existing frameworks
JWT vs OAuth: the Difference between JWT and OAuth
JWT (JSON Web Token) and OAuth are related but serve different purposes in the context of authentication and authorization in web development. Here's a brief comparison of JWT and OAuth:
JWT (JSON Web Token):
- Purpose: JWT is a compact, self-contained way to transmit information between parties securely. It is commonly used for authentication and information exchange.
- Content: JWT contains claims about an entity (typically, a user) and is often used for user authentication. Claims can include user ID, roles, permissions, and other relevant information. JWTs are often used to create stateless authentication systems.
- Usage: JWTs are usually sent as part of the request headers in HTTP requests. They are used to represent the identity and privileges of the user.
OAuth (Open Authorization):
- Purpose: OAuth is a framework for authorization, allowing a third-party application to access a user's resources on another server without exposing the user's credentials. OAuth is not designed for authentication but for delegation of authority.
- Roles: OAuth defines roles such as Resource Owner, Client, Authorization Server, and Resource Server. It enables scenarios where a user can grant access to their resources (e.g., photos, contacts) to another application without sharing their credentials.
- Grant Types: OAuth introduces grant types (authorization code, implicit, client credentials, password, etc.) to specify how the authorization process should be carried out.
- Tokens: OAuth involves the use of access tokens and refresh tokens. Access tokens are used to access protected resources, and refresh tokens can be used to obtain a new access token.
Key Differences:
- Purpose: JWT is primarily used for authentication and information exchange, whereas OAuth is a framework for authorization.
- Content: JWT contains claims about a user, while OAuth focuses on defining roles and permissions and managing access to resources.
- Roles: JWT is often used to represent the identity of the user, while OAuth involves roles like Resource Owner, Client, Authorization Server, and Resource Server.
- Tokens: JWT is a type of token used for authentication, whereas OAuth introduces access tokens and refresh tokens for managing authorization.
How Does JWT Work?
JSON Web Tokens (JWTs) play a key role in authentication by providing a secure and efficient way to verify the identity of users. The process typically involves the following steps:
- User Authentication: Users sign in using their username and password or through external providers like Google or Facebook. The authentication server validates the credentials and issues a JSON Web Token (JWT) certifying the user's identity.
- JWT Generation: The identity provider (IdP) generates a JWT, signing it with either a secret salt or a private key. This JWT encapsulates essential user information, such as user ID, roles, and expiration time.
- JWT Usage: The user's client securely stores the JWT obtained during authentication. When accessing protected resources, the client includes the JWT in the HTTP Authorization header.
- Token Verification: The resource server decodes and verifies the authenticity of the JWT using the provided secret salt or public key. This process ensures the integrity and origin of the token.
JWT in Apidog
Apidog is a user-friendly API development and testing tool that excels in managing JSON Web Tokens (JWT). With its intuitive interface, Apidog simplifies the process of handling JWTs, providing automatic support for token generation, dynamic management, and seamless inclusion in API requests.
This tool streamlines the JWT-related aspects of API development, allowing developers to focus on efficient testing and integration within their workflows.