JSON Web Tokens (JWT)

What are JSON Web Tokens (JWT)?

JSON Web Tokens (JWT) are an open standard (RFC 7519) that defines a compact and self-contained way of securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. JWTs can be signed to ensure the integrity of the claims contained within them while additional encryption ensures the privacy of the data.

JWTs are most commonly used for authorization. When a user logs in, a JWT is created and sent back to the client. This token can be used to access resources and APIs—once the token is verified, the user can perform actions defined by their roles and permissions. JWTs can also be used for information exchange because they can be signed, which means the receiving party can verify the sender's identity and ensure that the data has not been tampered with.

Structure of JWT

A JSON Web Token consists of three parts separated by dots (.), and serialized using base64. These parts are:

1. Header
2. Payload
3. Signature

Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional metadata. There are three types of claims:

• Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. Some examples are iss (issuer), exp (expiration time), sub (subject), aud (audience), and others.
• Public claims: These can be defined at will by those using JWTs. They should be defined in the IANA JSON Web Token Registry or be collision resistant.
• Private claims: These are the custom claims created to share information between parties that agree on using them.

Signature

To create the signature part, you need to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed in the way.

How JWT Works

When the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, great care must be taken to prevent security issues. In general, you should not keep tokens longer than required.

The JWT is usually sent as a Bearer token in the Authorization header of an HTTP request. Here’s an example of how a JWT might be used in an HTTP header:

Authorization: Bearer <token>

The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.

Benefits of Using JWT

1. Compact: Can be sent via URL, POST parameter, or inside an HTTP header. Since the payload is in a JSON format, it is less verbose than XML.
2. Self-contained: The payload contains all the information needed about the user, avoiding the need to query the database multiple times.
3. Performance: Reduces bandwidth and speeds up the server response times as it carries all the information within the token.
4. Interoperability: JWTs can be used across different systems regardless of the platform or technology stack.

Implementation Considerations

Security

• Keep it secret, keep it safe: This means that you should always use HTTPS to ensure your tokens are transmitted securely.
• Set shorter expiration times: JWTs are not immune to being compromised. Regenerating tokens more frequently minimizes the risk associated with compromised tokens.
• Store tokens securely: Tokens should be stored in a secure place, such as HTTP-only cookies to prevent XSS attacks.

When to Use JWT

1. Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
2. Information Exchange: JWTs are a good way to securely transmit information between parties. Because JWTs can be signed, for example using public/private key pairs, you can be sure that the senders are who they say they are.

JWT in Different Contexts

• Single Page Applications (SPA): JWT is useful in SPAs where authentication and authorization can be smoothly managed on the client side.
• Microservices: JWTs are ideal for securing communications between different microservices by including necessary information within the JWT for authorization purposes.
• IoT: JWTs provide a lightweight mechanism for managing authentication in IoT devices with limited processing power.

Best Practices and Common Pitfalls

• Do not store sensitive session data in JWT payload: JWT is often stored on the client side (e.g., local storage, session storage), which can be accessible by JavaScript. Sensitive information should not be stored there.
• Avoid over-scoping JWTs: Keep JWT claims specific to their purpose and avoid adding unnecessary information.
• Regularly rotate and invalidate: Secret keys used for signing tokens should be rotated regularly to keep the security mechanisms effective.

By following these best practices and understanding how JWTs operate, developers can leverage this powerful technology to enhance the security and efficiency of their applications.

Related Terms

• OAuth: An open standard for token-based authentication and authorization.
• Single Sign-On (SSO): A session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications.

For further reading on JWT and security, you can refer to the following authoritative sources:

1. JWT.io: Official website on JSON Web Tokens.
2. Auth0 JWT Handbook: Comprehensive guide on implementing and managing JWTs by Auth0.