OAuth

What is JWT (JSON Web Token)

What is JSON Web Token

  • JSON Web Token (JWT), pronounced “jot”, is a standard since the information it carries is transmitted via JSON
  • JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
  • Advantage
    • Works across different programming languages
    • Self-contained
    • Can be passed around easily

When should I use JWT?

Authorization: This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

How does JWT work?

In authentication, when the user successfully logs in using their credentials, a JWT will be returned. Since tokens are credentials, great care must be taken to prevent security issues. Do note that with signed tokens, all the information contained within the token is exposed to users or other parties, even though they are unable to change it. This means you should not put secret information within the token.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <token>

If the token is sent in the Authorization header, Cross-Origin Resource Sharing (CORS) won’t be an issue as it doesn’t use cookies.

The following diagram shows how a JWT is obtained and used to access APIs or resources:

  1. The application or client requests authorization to the authorization server
  2. When the authorization is granted, the authorization server returns an access token to the application
  3. The application uses the access token to access a protected resource (like an API).

You can also use the token in an HTTP header, POST body or a URL

What does a JWT look like?

  • Three strings separated by . aaaaaaaaaa.bbbbbbbbbbb.cccccccccccc (base64 encoded)
  • Header.Payload.Signature

Header: the type, which is JWT, and the hashing algorithm to use (HMAC, RSA, etc.)

{
"typ": "JWT",
"alg": "HS256"
}

Payload (also called the JWT Claims)

  • Registered (reserved) Claims. Include:
iss: issuer
sub: subject
aud: audience
exp: expiration in NumericDate value
nbf: the time before which the JWT MUST NOT be accepted
iat: The time the JWT was issued
jti: Unique identifier for the JWT
  • Public Claims: We create ourselves like username and other important information.
  • Private Claims

The example payload has two registered claims (iss and exp) and two public claims (name, admin).

{
"iss": "scotch.io",
"exp": 1300819380,
"name": "Chris Sevilleja",
"admin": true
}

Signature: A hash of the header, the payload, and secret

If you want to play with JWT and put these concepts into practice, you can use jwt.io Debugger to decode, verify, and generate JWTs.

JWT in Action

Here we use MS Azure Portal as an example to show how to get a JWT* and use it in a REST API call

  1. Head to https://portal.azure.com and log in with your credentials
  2. Once logged in, open the developer tool of your browser, switch to the Network tab, and reload the page
  3. Check the request headers of any POST request, and you will see a header with Authorization: Bearer <token>. Save the token for later use.
  1. Use Postman to send the following GET request to Azure:

https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups?api-version=2021-04-01 (replace {subscriptionId} with the Id of your subscription)

This API is supposed to return all resource groups under the subscription, but you will see a “AuthenticationFailed” response because we have not attached the header yet.

  1. Switch to the Authorization tab, select the “Bearer Token” type, and paste the stored token on the right. Send the request again and you will see a response with the correct data.

You can also decode the stored token on jwt.io

*The way we demonstrate here is for demo only. Typically, to get a token for the Azure REST API call, we create a Service Principal, assign roles and permissions to the SP, and use the app id and client secret of the SP to get the token.

Reference