What is JWT and What Problem Does It Solve?

@ Cybersecurity

What is JWT?

JWT stands for JSON Web Token🔗, a standard based on RFC 7519🔗 that is used to transmit JSON objects between two entities (such as front-end and back-end). It consists of header, payload, and signature, separated by . and encoded using Base64🔗 for transmission.

header.payload.signature

JWT.io Debugger🔗 is a great platform to understand JWT through online examples.

Basic JWT Example

Contains metadata about the type of token and the encryption algorithm used to protect its contents.

{
  "alg": "HS256",
  "typ": "JWT"
}

payload

Contains verifiable security claims, such as user identity and allowed permissions. There are three types of claims. While JWT can transmit completely custom data (private claims), it can also convey certain data meanings through “standardized fields.”

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

signature

Used to verify that the token is trustworthy and has not been tampered with. It is generated by executing the algorithm specified in the header on the Base64-encoded header, payload, and secret.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

JWT Implementation

JWT has several “implementation methods”, but this article focuses on JWS.

What does JWT do?

Back-end (Server)Front-end (Client)Back-end (Server)Front-end (Client)loop[Each API request]POST /login (credentials)Validate credentialsGenerate JWTReturn JWTAuthorization: Bearer <JWT>Verify JWT validityReturn data or 401 error

When generating a JWT, the algorithm used for the signature can vary, but the most common method is to use “asymmetric encryption” to ensure that the client’s data has not been tampered with. The signature is calculated using a private key along with the algorithm. If any data in the JWT is tampered with, it will cause subsequent verification to fail, thereby ensuring data integrity.

From the above example, it can be seen that the focus is on ensuring the “integrity” of the data rather than its “confidentiality,” so it is crucial to be aware that the information in the payload is entirely public.

What problem does JWT solve?

Due to HTTP’s statelessness, it is usually necessary to store user information on the server. Traditional session-based authentication requires using a session ID to locate the corresponding data, which is very unfavorable for “multiple servers” or “stateless APIs.”

After the user logs in, the server generates a JWT containing the user ID, permissions, and other information, which the user saves directly. In subsequent requests, including the JWT allows the server to verify and unpack it, facilitating server expansion and reducing server load.

What problems might JWT bring?

  • As long as the JWT is not expired, the server will continue to trust the JWT that has been created. If a user logs out, if permissions change, or if an account is compromised, the JWT cannot be immediately invalidated unless a blacklist mechanism is implemented.
  • JWT stored on the front end may still be vulnerable to attacks such as XSS or CSRF.

Further Reading