JSON web token
Christian Ranz / Munich NodeJS User Group / 13. August 2014
We are a web agency offering full stack web application development.
There are two common ways to perform a server side authentication.
JSON web token
"JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JavaScript Object Notation (JSON) object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or MACed and/or encrypted."
"The suggested pronunciation of JWT is the same as the English word 'jot'."
<base64-encoded header>.<base64-encoded claims>.<base64-encoded signature>
JW Tokens consist of 3 base64 encoded parts separated by a "."
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOjEsImV4cCI6MTQwNzgyOTI2OCwiaWF0IjoxNDA3ODIyMDY4LCJhZG1pbiI6dHJ1ZX0. JiRQIZojC6DTBM607e1fyxP0bmDSE_STuNxV-f4-7Qk
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
{
"alg": "HS256",
"typ": "JWT"
}
The header can also contain e.g. "enc", "zip" defined in JWE (JSON Web Encryption), ...
eyJzdWIiOjEsImV4cCI6MTQwNzgyOTI2OCwiaWF0IjoxNDA3ODIyMDY4LCJhZG1pbiI6dHJ1ZX0.
{
"sub": 1,
"exp": 1407829268,
"iat": 1407822068,
"admin": true
}
There can be custom claims too. But you have to keep in mind that the token is sent to the server on each request, so ...
JiRQIZojC6DTBM607e1fyxP0bmDSE_STuNxV-f4-7Qk
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
"supersafe_secret"
)
A signature generated using an algorithm specified in JWA (JSON Web Algorithms)
</end>
by Christian Ranz