Introduction to JWT authentication

What is JSON Web Token (JWT)?

If you Google it, probably the results will be too scientific and abstract to understand. So, let’s explain simply what JWT is:

JWT is an open standard (1. RFC 7519) based on JSON format. It is used to transfer authentication’s data in client-server applications created by the server, sent to the client. Subsequently, the client uses the JWT token to verify identity.

JWT token structure

To put it simply – JWT is a string in the following format: header.payload.signature

The first 2 have a JSON-like structure. The third element is calculated based on the first and depends on encryption. If encryption is “none” - the signature is missing.

Let’s move from the theoretical part to the examples:

An application uses JWT web token to verify user authentication as follows:

JWT authentication

Consider the first part of the JWT - Header:

JWT Header

It contains only information describing the token itself. The header describes cryptographic operations applied to a web token.

alg: algorithm used for signing / encryption   // this key is required
typ: token type  // must be JWT
cty: content type 

Payload is the following:

JWT Payload

The second part of the JWT token indicates user information. For example 'qwerty@gmail.com'. Service keys may also be used, which are optional.

iss: string or URI, token publisher. cases-sensitive.
sub: string or URI, which also cases-sensitive. described object
aud: array of cases-sensitive strings or URI. If the receiving token side (server) is on in this list, it will ignore the token 
exp: date of expiration
iat: time of creation
jti: JWT ID

In this article (2) you can find a complete list of information.

The 3rd part, as noted earlier, may be absent if the token is not signed:

JWT signature

Serialization

The serialization process consists of coding all 3 parts of the JWT token (or only Header and Payload, if signature is missing).

Coded by an algorithm base64url(3)

JWT serialization

In the code it can be represented as follows:

function encode

To decode a token, simply split it into points and convert the header and payload from the base64url code back to the string. An example of the code that does it:

function decode

There are many libraries that work with JWT web tokens. For example, consider one of them - jsonwebtoken(4) :

Library

links:

1. https://tools.ietf.org/html/rfc7519

2. https://openid.net/specs/openid-connect-core-1_0.html#IDToken

3. https://developer.mozilla.org/en-US/docs/Web/API/WindowBase64/Base64_encoding_and_decoding

4. https://www.npmjs.com/package/jsonwebtoken