What are JWTs (JSON Web Tokens)?

JSON Web Tokens are widely used today for transporting authentification and authorization data across the network. They play an important role in securing many web applications and allow users login on their favourite platforms. I will briefly explain what a JWT is and why they are so valuable.

1.What is a JSON Web Token?

“A JSON web token, or JWT(“jot”) for short, is a standardized, optionally validated and/or encrypted container format that is used to securely transfer information between two parties.” (Koretskyi, 2018)

A signed JWT looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkaSBDdWNvbGHImSIsImlhdCI6MTUxNjIzOTAyMn0.jwPH819yDGJMwkeLyiEkaJfaEKlwk_L0KTkdLH8exdg

Signed JWTs are constructed from three different parts: the header, the payload and the signature. The third is dependent on the algorithm used for signing or encryption, and, in the case of unencrypted JWTs it is omitted. These three parts are encoded separately. While this is not human readable, it is a representation of a series of claims, along with a signature to verify its authenticity.

The secret required for verifying the signature is “secret”.

The header

The header describes the cryptographic procedures and what hashing algorithm (HMAC SHA256 or RSA) is applied to the token and may also contain optional information regarding the media and content type of it. The alg claim specifies the algorithm used to secure the JWT.

“A key aspect of JWTs is the possibility of signing them, using JSON Web Signatures (JWS, RFC 7515), and/or encrypting them, using JSON Web Encryption (JWE, RFC 7516). Together with JWS and JWE, JWTs provide a powerful, secure solution to many different problems.” (Peyrott, 2016-2018)

The payload

The payload consists of user data and, unlike the header, no claims are mandatory.

“Claims are definitions or assertions made about a certain party or object. Some of these claims and their meaning are defined as part of the JWT spec. Others are user defined. The magic behind JWTs is that they standardize certain claims that are useful in the context of some common operations. For example, one of these common operations is establishing the identity of certain party. So, one of the standard claims found in JWTs is the sub (from “subject”) claim.” (Peyrott, 2016-2018)

The signature

The signature, which is optional, is created by taking the encoded header, the encoded payload, a secret and the algorithm specified in the header and sign it. Its role is to verify and ensure that the sender of the JWT is trustworthy and that the token was not altered along the way.

HMACSHA256(

base64UrlEncode(header) + “.” +

base64UrlEncode(payload),

secret)

The above exemple uses the HMAC SHA256 algorithm to create the signature.

2.Serialization

The serialization process consists of encoding the header, the payload and the signature (if present) using a base64url algorithm to be easier to transmit and avoid textual conflicts.

The below figure illustrates the serialization of an unsecure token. Although the serialization can easily be done from code, it is recommended to use libraries to encode/decode (ex: jsonwebtoken).

The JWT defines the format of the information being send and can have two forms: serialized and deserialized. The header and the payload must always be present, but the signature can be omitted if the JWT is unsecured. In the case of an unsecured token, the alg claim from the header is set to none ({“alg”: “none”}). The deserialized form, on other hand, is used to modify the data of the token and it only consists of the header and the payload.

3.What problem does it solve?

“Although the main purpose of JWTs is to transfer claims between two parties, arguably the most important aspect of this is the standardization effort in the form of a simple, optionally validated and/or encrypted, container format. Ad hoc solutions to this same problem have been implemented both privately and publicly in the past. Older standards for establishing claims about certain parties are also available. What JWT brings to the table is a simple, useful, standard container format.” (Peyrott, 2016-2018)

They are widely used in the authentification and authorization process. If an application requires login, the system must track informatin about the logged-in user.

Server-side/Stateful Sessions

For years, this sessions were being tracked on the server side and the client would only store the sessionID in a cookie.

Although the implementation is secure, it is also rather complex and it makes it hard to debug. The biggest disadvanage is the performance cost and incresed complexity of scaling.

Client-side/Stateless Sessions

Unlike the before mention method, the client-side session data is stored by the client, usually in a cookie, and is sent to the server on each request through the HTTPS headers to avoid CORS issues.

This way, the scalabity problem is avoided, but security vulnerabilites can emerge since there is no guarantee that the client didn’t alter the data before passing it to the sever.

This is when JWTs are being used. Because they can be singed, the server can then verify the authenticity of the token and trust that the data was not altered Furthermore, JWTs can also be encrypted and the data can be hidden from users who would try to modify it.

JWTs are not completely foolproof, therefore as a developer it is important to understand their vulnerabilities and mitigate them.

One important aspect is to never allow unsgined tokens and always stippulate the permitted hashing algorithm within the server instead of trusting the token’s header first. Checking if the header’s alg claim corresponds with the server who singed it is one extra step to secure it’s trust and avoid breaches.

Furthermore, it is important to set a resonable expiration time of the token and also be prepared to take measures and renew the tokens in case of breach.

Another aspect which will increase the token’s security is using an appropiate key size for the signature’s secret and taking all the necessary measure to keep the shared and private keys secured.

4.Exmaple Node.js API Authentication

The following example uses jsonwebtoken library to sign and verify the token.

At login, the library encodes and signs the token with the secret key.

When a  “private” route is accessed, the token goes through a series of verifications and a valid response is only sent if the token is trustworthy and the it passes the verification.

This step is conducted by the library (jwt.verify), but the first step of extracting the token from the header can also be implemented by the user.

Althought it is not recommended, the verification can be handled by the user like in the example above. A better approache would be to use a middlware which can handle the authentication process. For example, Passport can be easily used in any Express-based web application and it only requires a few lines of codes.

Conclusion

JWTs provide a compact and self-contained way for securely transmiting information between parties. They solve the problem of managing sessions on the server, thus the scalabilty issues. Besides that, being so lightweight, they can be easily  transmitted on the requests withouth affecting the performance.

In conclusion, JWT is a secure and easily to implement standard which can assure a proper security of an application if best practices are applied.