JWT Authentication for web

  • what is JWT
  • what it can do
  • what the structure of JWT

What is JWT

JWT Stands for Json Web Token

JWT is open standard (RFC7519)

It is used to securely transfer information between any two bodies. it may any two servers, api or user.

Digitally signed – Information is verified and Trusted

 

Compact

  • JWT can be send via URL, POST request, HTTP header
  • Fast transmission

Self-Contained

  • Contains information about the user
  • its avoiding query the database more than once

JWT is Useful

it is used for exchanging data between two parties or bodies. so its very useful and worth solution for securing rest api on the web.

What is Json Web Token Structure

  • Header
  • Payload
  • Signature

aaaaaaaaaaaaaaaa.bbbbbbbbbbbbb.ccccccccccccccc

Header

Header will look like this and it include two fields. one is alg other one is typ

{
"alg": 'HMAC',
"typ" 'JWT'
}
  • alg is algorithm like HMAC SHA256 or RSA. this alg wil tell the jwt in which algorithm it is encoded.
  • typ is type of the web token. this json is Base64 encoded to form first part

Payload

it contain the claims. claims are user details or adddtional user related metadata. payload also Base64  url encoded to form the second part.

{
"sub": '748553',
"name" 'John Kenen',
"admin": true
}

Signature

this is the most important part of the token. this contain base64 header and the base64 payload with the secret. if someone even change the payload he don’t know about the secret and then that signature will not exactly the same with the original payload. this mechanism provide more security.

HMACSHA256(
base64UrlEncode(header) + '.' +
base64UrlEncode(payload),
secret
)

in the token these three parts are combined with the dot (.) you can try the example in http://jwt.io

 

How do json web token works.

lets explain, imagine you have the server and the browser as the client. and from the browser you send POST request to the server to login with credentials assume Username and Password. then server catch the data and verified  (authenticate). then server generate the JWT  token with the secret. and that token pass to the browser as the respond if everything is good. now the browser received the token.

if the process up to now successful we will send jwt on Authorization header. server will check the token and verify first then send back to the user result if the token verified.  unless it will not respond that user data to the client.

by kushan


avatar
  Subscribe  
Notify of