What the heck is JWT anyway?

siwalikm

Siwalik Mukherjee

Posted on March 4, 2018

What the heck is JWT anyway?

In this article we will learn the fundamentals of a JWT token is and how we can benefit from it for authenticating communications between two parties, all of this using vanilla NodeJS and javascript.

JWT is an abbreviation for JSON Web Token, which is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is digitally signed using JSON Web Signature (JWS). ~ IETF

Urggh! What?

Simply put, JWT token is a string we pass in the header or url while making a network request to pass data safely and make sure it hasn't been tampered with.

Example: www.example.com/private/?token=xxxxx.yyyyy.zzzzz

You might be wondering what's with the token format! JWT tokens consists of three parts separated by dots

( . )

which are:

header.payload.signature
Enter fullscreen mode Exit fullscreen mode

Let's see the differents parts of a JWT token in details.

1. Header
The header typically consists of two parts: the type of the token, which is JWT, and the hashing algorithm being used, such as HMAC SHA256 or RSA.

{
   "alg": "HS256",
   "typ": "JWT"
}
Enter fullscreen mode Exit fullscreen mode

Then, this JSON is Base64Url encoded to form the first part of the JWT.

'use strict';

var header = { "alg": "HS256", "typ": "JWT" };
var enc_header = Buffer.from(JSON.stringify(header)).toString('base64');
// ► "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"
Enter fullscreen mode Exit fullscreen mode

2. Payload

The second part of the token is the payload, which contains the claims. Claims are predefined keys and their values. There are three types of claims: registered, public, and private claims.

  • Registered claims: These are a set of predefined keys which are not mandatory but recommended. Some of them are iss (issuer), exp (expiration time) etc.

  • Public claims: These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace.

  • Private claims: These are the custom key value pairs created to share information between parties that agree on using them and are neither registered or public claims.

{
   "exp": "2019-02-14",
   "message": "roses are red"
}
Enter fullscreen mode Exit fullscreen mode

The payload is then Base64Url encoded to form the second part of the JSON Web Token.

'use strict';

var payload = { "exp": "2019-02-14", "message": "roses are red" };
var enc_payload = Buffer.from(JSON.stringify(payload)).toString('base64');
// ► eyJleHAiOiIyMDE5LTAyLTE0IiwibmFtZSI6IkpvaG4gRG9lIn0
Enter fullscreen mode Exit fullscreen mode

3. Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. Too good for us that NodeJS comes with the immensely powerful Crypto library out of the box which we will use in our example.

'use strict';
const crypto = require('crypto');
var jwt_secret = "secret";
// enc_header and enc_payload are computed earlier
var signature = crypto.createHmac('sha256', jwt_secret).update(enc_header +"."+ enc_payload).digest('base64');
// ► 6C46KAaZGp6RjbSqGllfdQF7g8vXCp02NTSrz-PzeoI
Enter fullscreen mode Exit fullscreen mode

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

The final JWT token looks like this

var token = `${enc_header}.${enc_payload}.${signature}`;
// ► eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIyMDE5LTAyLTE0IiwibWVzc2FnZSI6InJvc2VzIGFyZSByZWQifQ.0u-mkgLo5479CPjJJ4mXCwn2RW4dFT12fiYiopRWsZw
Enter fullscreen mode Exit fullscreen mode

Something important to remember here is that JWT tokens are used for authentication and not encryption, so even without knowing the secret key, someone can read your header and payload data.

But upon receiving the token you can sign the header and payload again with your secret key and compare it with the received signature to detect tampering of token or the message.

A good place to start will be by going to this online JWT debugger at jwt.io and play around with the the token we just generated above.

Hi! I'm @Siwalik! If you liked this article, follow me on twitter to know about my latest tech expeditions and side projects! 🙌

💖 💪 🙅 🚩
siwalikm
Siwalik Mukherjee

Posted on March 4, 2018

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related