forum

Home / DeveloperSection / Forums / What are JSON Web Tokens (JWT), and how are they used for authorization?

Ask Question

What are JSON Web Tokens (JWT), and how are they used for authorization?

Manish Sharma34426-Sep-2023

What are JSON Web Tokens (JWT), and how are they used for authorization? Also, explain examples with pros and cons.

web api asp.net  mvc  web api 
Updated on 27-Sep-2023
Manish Sharma

Manish Sharma

Follow
When you can't control what's happening, challenge yourself to control the way you respond to what's happening. That's where your power is! Sometimes we need fantasy to survive reality. There is great beauty in simplicity

Can you answer this question?

Answer

1 Answers

Aryan Kumar

Aryan Kumar

27-Sep-2023

JSON Web Tokens (JWT) are a compact, self-contained, and widely used format for securely transmitting information between parties in a JSON (JavaScript Object Notation) format. JWTs are often used for authentication and authorization purposes in web applications, APIs, and distributed systems. They consist of three parts: a header, a payload, and a signature.

Here's a breakdown of each component and how JWTs are used for authorization:

1. Header:

  • The header typically consists of two parts:
    • The type of token, which is "JWT."
    • The signing algorithm used to generate the token's signature.

Example header:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload:

  • The payload contains claims, which are statements about an entity (typically, the user) and additional data. Claims can be divided into three types:
    • Registered Claims: These are predefined claims widely used and standardized, such as "iss" (issuer), "exp" (expiration time), "sub" (subject), and others.
    • Public Claims: These are custom claims defined by the parties involved, but they are recommended to be registered with an IANA-registered claim name.
    • Private Claims: These are custom claims specific to the application and are not registered or standardized.

Example payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

3. Signature:

  • The signature is created by taking the encoded header, encoded payload, a secret key (or public key in the case of asymmetric algorithms), and the specified signing algorithm. The signature helps verify that the sender of the JWT is who it says it is and that the message wasn't tampered with.

Example signature (computed using HMAC-SHA256):

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

JWTs are used for authorization in the following way:

Authentication:

  • When a user logs in, the server generates a JWT containing claims about the user's identity and potentially additional information.
  • The JWT is signed using a secret key known only to the server.

Authorization:

  • Once a user is authenticated, the JWT is often included in the "Authorization" header of HTTP requests when accessing protected resources or APIs.
  • The server can verify the JWT's signature using the secret key to ensure the token hasn't been tampered with.
  • The server can also verify claims in the payload, such as the user's identity or roles, to determine if the user is authorized to access the requested resource.
  • If the token is valid and the user is authorized, the server responds with the requested data or resource.

JWTs simplify authorization because they are self-contained and contain information about the user's identity and permissions. They eliminate the need for the server to store session state, which can be especially useful in stateless, distributed systems and microservices architectures. Additionally, JWTs can be easily shared and verified across different services and platforms, making them a versatile choice for authentication and authorization in modern web applications and APIs.

MindStick Training

Liked By