jwt - dwilson2547/wiki_demo GitHub Wiki

JSON Web Tokens (JWT) are a compact, URL-safe way to represent claims between two parties. They are commonly used for authentication and information exchange in web applications. Let’s break down JWTs in detail:

1. What is a JWT?

A JWT is a signed JSON object that contains:

  • Claims: Statements about an entity (e.g., user identity, permissions).
  • Signature: Ensures the token hasn’t been tampered with.

JWTs are stateless, meaning the server doesn’t need to store session data.

2. Structure of a JWT

A JWT consists of three parts, separated by dots (.):

Header.Payload.Signature

A. Header

  • Specifies the algorithm (e.g., HMAC SHA256, RSA) and token type (JWT).
  • Example: 
    {
  "alg": "HS256",
  "typ": "JWT"
}
  • Base64Url encoded to form the first part.

B. Payload (Claims)

  • Contains claims (statements about the user or metadata).
  • Three types of claims:
    1. Registered: Predefined (e.g., iss for issuer, exp for expiration).
    2. Public: Custom claims (e.g., user_id, role).
    3. Private: Agreed upon by parties (e.g., internal app data).
  • Example: 
    {
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "exp": 1516239022
}
  • Base64Url encoded to form the second part.

C. Signature

  • Created by combining the encoded header, encoded payload, and a secret key.
  • Example (HMAC SHA256): 
    HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret_key
)
  • Ensures the token’s integrity.

3. How JWTs Work

  1. User Logs In: Provides credentials (e.g., username/password).
  2. Server Validates Credentials: If valid, the server creates a JWT.
  3. JWT Sent to Client: Typically in an HTTP response (e.g., Authorization: Bearer <token>).
  4. Client Stores JWT: Usually in localStorage or cookies.
  5. Client Sends JWT with Requests: The server validates the JWT and grants access.

4. Why Use JWTs?

  • Stateless: No server-side session storage needed.
  • Scalable: Works well in distributed systems (e.g., microservices).
  • Secure: Signed to prevent tampering.
  • Compact: Can be sent via URL, POST, or HTTP header.

5. Common Use Cases

  • Authentication: Replace traditional sessions.
  • API Authorization: Secure RESTful APIs.
  • Information Exchange: Safely transmit data between parties.

6. Security Considerations

  • Never store sensitive data in the payload (it’s base64-encoded, not encrypted).
  • Use HTTPS to prevent token interception.
  • Short expiration times for access tokens (use refresh tokens for long-lived sessions).
  • Validate tokens on the server (check signature, expiration, issuer, etc.).

7. Example JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  • Header: {"alg":"HS256","typ":"JWT"}
  • Payload: {"sub":"1234567890","name":"John Doe","iat":1516239022}
  • Signature: SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

8. JWT vs. OAuth

  • JWT: A format for tokens (can be used in OAuth).
  • OAuth: A protocol for authorization (can use JWTs as tokens).

Would you like a deeper dive into any specific aspect, such as JWT validation, refresh tokens, or how to implement JWT in a real-world app?

⚠️ **GitHub.com Fallback** ⚠️