JWT authentication
JSON Web Token (JWT) is a compact claims representation format that is intended for space constrained environments such as HTTP Authorization headers and URI query parameters. A claim is represented as a name-value pair that contains a Claim Name and a Claim Value.
The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plain-text of a JSON Web Encryption (JWE) structure. JWT claims can be digitally signed or integrity protected with a Message Authentication Code (MAC) and they can also be encrypted.
JWT Overview
JWT represents a set of claims as a JSON object that is encoded in a JWS or JWE structure. This JSON object is the JWT Claims Set. The JSON object consists of zero or more name-value pairs (or members), where the names are strings and the values are arbitrary JSON values. These members are the claims that are represented by the JWT. The member names within the JWT Claims Set are referred to as Claim Names. The corresponding values are referred to as Claim Values.
A JWT is represented as a sequence of URL-safe parts separated by period (’.’) characters. Each part contains a base64url-encoded value. The number of parts in the JWT is dependent upon the representation of the resulting JWS using the JWS Compact Serialization or JWE using the JWE Compact Serialization.
Types of JWT
JWT Example
The format of a typical JWS is <Base 64 URL encoded Header json>.<Base 64 URK encoded Payload json>.<Base 64 URL encoded signature>
Header
{
"alg": "RS256",
"typ": "JWT",
"kid": "a1"
}
Payload
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022,
"exp": 1531762065
}
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImExIn0
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoxNTMxNzYyMDY1fQ
.z4qfO0leZK2mYp_w-jFNidTx-Ri0PRMHLsOAG1Den7ZR4QntIJhU17U0afgoe5VzISXS6jW61ga3XEk39ey1G7a_-ARIVZLYN11fHDhsPuzN7PPkbT
5uWpHEUhVWRR8dxHqXmNiDaWjNhTnzHCBpfrRHj5pR_dzubbuE_uPuvDk
As illustrated in the sample, the JWS has the following parts and is separated by the "." character.
- Header =
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImExIn0
- Payload =
G4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMiwiZXhwIjoxNTMxNzYyMDY1fQ
- Signature =
z4qfO0leZK2mYp_w-jFNidTx-Ri0PRMHLsOAG1Den7ZR4QntIJhU17U0afgoe5VzISXS6jW61ga3XEk39ey1G7a_-ARIVZLYN11fHDhsPuzN7PPkbT5uWpHEUhVWRR8dxHqXmNiDaWjNhTnzHCBpfrRHj5pR_dzubbuE_uPuvDk