What is JSON Web Token (jot)
- JWT is a standard for transmitting information.
- JWT can either be signed (JWS) or encrypted (JWE)
- JWT can be generated using a shared secret or a public and private key
- JWT is an alternative to the server creating a session and SAML
- JWT’s most common use is authentication
- Stateless - no sessions are created from the server
- Compact - Sent with every request transmission typically in Header Authorization
- Self-contained - all the information about the user is in the encoded payload
How does JWT Work?
The server returns an authentication token after a user logs in from the client. The client stores that token inside localStorage (or a cookie). Every subsequent request made by the client includes the token. The server then verifies the correctness of the token before sending a response.
JWT Structure is dot-delimited - Header.payload.signature
Header - cryptographic information
Payload - user claims. Built it claims are 3 characters long
Signature - the hashed value of its parts along with the secret key
JWS vs JWT Comparison
| JWS | JWE | |
|---|---|---|
| Shared Secret Holder | Can verify and generate tokens | Can encrypt and decrypt tokens |
| Public/Private Key |
|
|
When to sign (JWS) and when to encrypt (JWE) JWTs
- Sign your tokens (JSON Web Signature - JWS) using hashing algorithms if there are no security nor privacy concerns when it is read by other parties, otherwise it should be encrypted (JSON Web Encryption - JWE).
- Sign it if all you need is validation, encrypt it if you need protection
Best Practices
- Never accept unsigned JWTs - Signature stripping is a form of attack where the signature is removed, and replaced as an unsigned token.
- Don’t store tokens in cookies because they’re subject to CSRF attacks. Use localStorage whenever possible.
- Perform origin checks
- Add expiration