The importance of security has increased over the years due to the increase in cyber-attacks and data breaches. Organizations need to take precautions such as implementing cybersecurity measures and using encryption technologies for their digital assets.
Security is an essential point of any web application, regardless of size. It contains data that needs to be protected as it can be accessed by malicious users.
One of the approaches to protect data is through Token Based Authentication, which uses a JWT token. But, after all, do you know what it is? This is what we will explain in this article. Check out!
JWT: what it is and when to use it
JSON Web Token is a type of security token used in the authorization process. Contains encoded information that can be decoded by the server and passed to the requesting client.
Its purpose is to compactly and securely transmit or store JSON objects between different applications. The JWT is digitally signed using a secret key with the HMAC algorithm or an RSA or ECDSA public and private key pair.
This fact makes it an extremely secure means of sharing information and authenticating users. Its format is text-based and widely accepted by many programming languages.
JWT is one of the main components of JOSE (Json Object Signing and Encryption). It contains specifications such as:
- JWE (Json Web Encryption), responsible for the encryption for the token signature;
- JWA (Json Web Algorithms), regarding the algorithm;
- JWK (Json Web Keys) corresponding keys for signature;
- JWS (Json Web Signature), the token signature.
- JWT, JOSE element, is the token itself.
Its use happens in two scenarios: in the authorization process in applications or in the exchange of information.
Below we detail its ways of use. Check out!
Authorization
The most common scenario for using JSON Web Tokens is to authenticate users by providing them with the token and allowing them to access the appropriate routes, services, and resources on your website or server.
Information exchange
JWTs can be signed using public and private key pairs. This provides some level of assurance that the sender is who they say they are.
JWT structures
JSON Web Tokens consist of three parts separated by periods (.). These parts are:
- Header;
- Payload;
- Signature.
Header
The header, is located at the beginning of the token and is composed of two elements: the alg and the typ. The first indicates which encryption algorithm is used and the second informs the type of token.
However, not all JWT tokens contain token-type information. The essential information in this case is that which indicates which signature algorithm was used.
Payload
The Payload, or body, is where the claims are contained. Claims are claims about the user, and additional data.
The body of the JWT token is made up of optional information, that is, information that the application that generated it wants to inform, except for the sub key, which is mandatory, since it is the identifier factor of the entity to which the token refers.
There are 3 types of claims in payloads: reserved, public, and private claims. Reserved claims are non-mandatory, but recommended attributes that can be a set of useful and interoperable information commonly used in API security protocols. These pre-determined claims are standardized by the system and can be classified into:
- Json Token Identifier (jti): is the unique identity of the token;
- iss: This is the user who issued the token;
- iat: Identifies the lifetime of the token from the time of issuance;
- nbf: Determines token validity;
- exp: Refers to the token expiration time. That is, after the given period, the token is no longer accepted for processing;
- sub: Indicates the token’s subject;
- aud: Identifies the audience of the token, that is, the end consumer.
Public claims are the attributes that define the use of the JWT and useful information for the application. Private claims are those specifically defined to share information between applications.
It is important to note that sensitive information should not be placed in the payload, since it is possible to access the content of each segment of a JWT token. The process for viewing content is done through a Base64 decode.
Signature
This is one of the most sensitive elements of JWT as it is a kind of product of the other two components. Its composition is done by encoding the header and payload, added to a keyword.
The signature can identify if the JWT token message has not been tampered with at some point. The secret keyword grants the generation of other tokens, being unique to the server.
Building a token
A token is nothing more than a digital signature, that is, a key. In this way, it is a string, a string of characters that works to represent an object.
A signature is a security-sensitive part of a token intended to protect the integrity of information. To ensure this protection, there is a standard formula that requires the token to be a Base64 hash generated from an encryption algorithm, for example SHA256 or SHA512, and this hash must be done via the token’s header and payload.
Verification
A secure token is mathematically impossible to decrypt without the application’s secret key. However, once discovered, any application can decode the signature and verify its validity.
This is accomplished by generating a signature using the header and payload provided by the client and then comparing this generated signature with the one present in the token sent by the client. Once the displayed signatures are identical, access is granted in the application.
In practice
To reach the result of a token it is therefore necessary:
- Dictate an algorithm (alg) and a type (typ) in the hedader;
- Inform the claims, which can be registered or customized, of the token;
- Interlink the three elements: header, payload and signature.
Do you like our content? So, follow us on social media to stay on top of innovation and read our blog.