JSON Web Tokens (JWT) — the only explanation you will ever need

JSON Web Tokens are truly changing the world.

Introduction

Why do we need JSON Web Tokens (JWTs)?

Your typical front-end to back-end usage

In distributed systems

The three components of a JSON Web Token

Part 1: The JWT Standard

Header

  • Algorithm (alg): The algorithm used to sign the token. This is useful for the attempted reproduction of the signature (we will talk about that later).
  • Type (typ): The type of the token. In the case of a JWT, this will always have the JWT value.

Payload

  • Issuer (iss): The entity to generate and issue the JSON Web Token (for example, your authentication service or OAuth provider).
  • Subject (sub): The entity identified by this token. For example, if the token is used to authorize a user, sub could be the user ID.
  • Audience (aud): Target audience for this JWT. For example, if the token is intended to be used by your beta testers user pool, you could specify that as an audience. It is advised to reject tokens with no audience.
  • Expiry (exp): Specifies the timestamp (Unix) after which the token should not be accepted. We will talk about short-lived JWTs later on.
  • Issued at (iat): Specifies the date at which the token has been issued.
{
"sub": "1dfee8d8-98a5-4314-b4ae-fb55c4b18845",
"email": "ariel@codingly.io",
"name": "Ariel Weinberger",
"role": "ADMIN",
"iat": 1598607423,
"exp": 1598607723
}

Signature

signature = Crypto(secret, base64(header), base64(payload))
jbcOUQ2bbiYlfVtprEkaT_S6Y6yQnBDOAKDHIHjvl7g

“Everyone can read my tokens! They can change the claims and grant themselves admin access!”

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxZGZlZThkOC05OGE1LTQzMTQtYjRhZS1mYjU1YzRiMTg4NDUiLCJlbWFpbCI6ImFyaWVsQGNvZGluZ2x5LmlvIiwibmFtZSI6IkFyaWVsIFdlaW5iZXJnZXIiLCJyb2xlIjoiVVNFUiIsImlhdCI6MTU5ODYwODg0OCwiZXhwIjoxNTk4NjA5MTQ4fQ.oa3ziIZAoVFdn-97rweJAjjFn6a4ZSw7ogIHA74mGq0

Part 2: Common Misconceptions, FAQs and Techniques

JWTs as Passports

Short-lived JWTs and Invalidating Tokens

  • If your token has been compromised, it will expire quickly after and that will limit the time window during which the attacker is able to use your token and perform operations on your behalf.
  • JWTs are stateless. You cannot invalidate such tokens (that is pretty much the only trade-off in using this type of token). Therefore, short-lived tokens are closest we can get to keeping strong consistency over stuff like user permissions and roles.

JWT Advantages and Should You Trust Your Tokens?

Refresh Tokens

  • Access Token: Your typical JSON Web Token that is sent with every request. Contains the user claim.
  • Refresh Token: This special kind of token is persisted in a database, mostly owned by an Authentication Service of some sort. This is often not a JWT — but rather a unique hash.

Secret VS Private-Public Key (Keypair)

Common Microservices Architecture
  • All services will know the secret. That increases the risk of the secret being exposed or hijacked by an attacker. I mean, when you tell your friend a secret you don’t expect it to be spread around, right?
  • All services technically have the ability to create new tokens — whose responsibility is it to generate tokens? This can introduce semantic problems of ownership.

Where Should I Store The JSON Web Tokens?

What If I Want to Encrypt My Tokens Anyway?

Summary

Useful Resources

Let’s Get in Touch

--

--

--

Passionate about education in Software Engineering. Bestselling Udemy instructor. Self-taught Software Engineer and Engineering Manager.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Using Puppet Deferred functions to provision secrets on your infrastructure

Quiet one

How Does JavaScript Work In Web Environment ?

Build a Smart Grid Layout using Flexbox

Subjects, Replay Subjects, Behavior Subjects, and Async Subjects in RxJS

Real World App - Part 21: Service Workers (PWA) with Angular

How JavaScript Maps Can Make Your Code Faster

Local Storage vs Session Storage vs Cookie Storage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ariel Weinberger

Ariel Weinberger

Passionate about education in Software Engineering. Bestselling Udemy instructor. Self-taught Software Engineer and Engineering Manager.

More from Medium

Models from JSON API response

[Solved] Supabase ‘insert()’ not inserting table record

NodeJS and MySQL 8 Connection Issue — Resolved

Top 5 Hybrid Mobile App Development Frameworks in 2022