Now that we have been discussing about Access Token, it is imperative that we discuss JWT which has become increasingly famous for maintaining security of APIs.
JWT, also referred to as JSON Web Token, is an open standard which plays an important role while exchanging security related information amongst client and server. JSON objects, which are encoded, are a part of every JWT. JWTs also include claims.
The most important point to remember here is that JWT is a standard and not tokens cannot be equated to JWTs. The size of a JWT is really small and this allows it to be sent via URL, POST parameter or within an HTTP header. The size also allows the advantage of quick speed of transfer. JWTs also have all the information needed regarding an entity so that a repeated queries on a database can be minimized. There is no need for the recipient of the token to validate the token by calling a server.
Let’s understand the structure of JWT. It consists of three parts namely the header, payload and the signature which are separated by dots (.). It is serialized with base 64. Compact serialization is the most common format which make the JWT look like xxxx.yyyy.zzzz.
Upon decoding, we get 2 JSON strings which are the header and payload and the signature.
The header carries information regarding the type of the token and the signing algorithm.
The claims are present in the payloads. The display is of a JSON string and generally do not have a lot of fields thereby keeping the JWT size small.
Generally, claims are not mandatory for JWT, however, in some situations of overlaying standards, the claims may be mandatory.
The function of the signature is to ensure that no changes or alterations have been made to the token. The party creating the JWT signs both the header and the payload and the secret is only known to the issuing party and the receiving party. In some other cases, private key is used which is known only to the sender. At the time of using the token, the party which receives the token ensures the header and payload are matching with the signature.
Here are some benefits of using JWTs
Benefits of using JWT
- JWTs are light in weight which makes it easier for the client applications to use it.
- JWTs are self- contained and this allows the JVM server to consume the token straightaway and the claim from the token is used for the purpose of identification in order to run the request.
- It is possible to sign JWTs both symmetrically using a shared secret (HMAC algorithm) as well as asymmetrically with the help of a private key.
- JWTs contain integrated mechanism for expiration.
- It is possible to extend JWTs so that custom claims can be accommodated.
- JWTs have become a popular choice by various Single Sign On solutions and leading standards.
Here are some situations in which JWT token is used-
- AuthenticationThis is the most common situation for using JWTs. As soon as the user is logs in, every request which is sent contains JWT. This allows the user to gain accessibility of routes, resources and various services which the token permits. One of the common examples of JWT used now a days is Single Sign On. The fact that it has a small overhead and its usability with different domains makes it even more popular.
- Exchange of InformationThe transmission of information amongst various parties can have added security when JWTs are used. Use of a private or key pair helps immensely to ensure the identity of the sender. The header and the payload are used to calculate the signature which helps to make sure no changes have been made to the content.
The working of JWT is quite simple. One of the main differences between JWT and other web tokens is that JWT has a set of claims which are essentially used for transmission of information between parties. The definition of this claims varies from case to case such as issuer of the token, validity of the token or the permissions allowed to the client.
The below image depicts the working of JWT.