JSON Web Tokens

What is JSON Web Token (jot)

  • JWT is a standard for transmitting information.
  • JWT can either be signed (JWS) or encrypted (JWE)
  • JWT can be generated using a shared secret or a public and private key
  • JWT is an alternative to the server creating a session and SAML
  • JWT’s most common use is authentication
  • Stateless - no sessions are created from the server
  • Compact - Sent with every request transmission typically in Header Authorization
  • Self-contained - all the information about the user is in the encoded payload

How does JWT Work?
The server returns an authentication token after a user logs in from the client. The client stores that token inside localStorage (or a cookie). Every subsequent request made by the client includes the token. The server then verifies the correctness of the token before sending a response.

JWT Structure is dot-delimited - Header.payload.signature
Header - cryptographic information Payload - user claims. Built it claims are 3 characters long Signature - the hashed value of its parts along with the secret key

JWS vs JWT Comparison

Shared Secret Holder Can verify and generate tokens Can encrypt and decrypt tokens
Public/Private Key
  • Private key holder can sign and verify tokens
  • Public key holder can only verify tokens
  • Data flows from private to public key holders
  • Private key holder can only decrypt
  • Public key holders can encrypt
  • Data flows from public to private key holders

When to sign (JWS) and when to encrypt (JWE) JWTs

  • Sign your tokens (JSON Web Signature - JWS) using hashing algorithms if there are no security nor privacy concerns when it is read by other parties, otherwise it should be encrypted (JSON Web Encryption - JWE).
  • Sign it if all you need is validation, encrypt it if you need protection

Best Practices

  • Never accept unsigned JWTs - Signature stripping is a form of attack where the signature is removed, and replaced as an unsigned token.
  • Don’t store tokens in cookies because they’re subject to CSRF attacks. Use localStorage whenever possible.
  • Perform origin checks
  • Add expiration