Understanding JWT

This and the other “Deck” posts are a repurposing of flashcard study decks to Q&A blog posts.

What is a JSON web token (JWT)?

It is an access / authorization token that can be used when making requests to application servers to grant or deny access to server resources using the contents of the token for this determination.

There are 3 components of a JWT what are they?

Header, Payload, and Signature.

What is the role of the payload in a JWT token?

The payload contains the data the systems are interested in. Often it will be data about a user but it could be anything like bank transfer information.

What are claims in a JWT?

Claims are essentially the payload but with different categories of types of payload data. There are registered claims which are predefined payload keys such as iss (issuer), exp (expiration). Claims exist as public or private, which are covered later in this deck.

What is the role of the header?

The header contains metadata about how the server signed the token, which algorithm it used. The server will use the header determine which algorithm to use to decode it.

What is the role of the signature?

The signature is what verifies the validity of the token. It is created using a secret key and is comprised of the contents of the token header and payload. The signature is used to verify that the contents of the token were not changed.

Is a JWT an access token?

Yes it is. It is what grants users access to different server resources.

List options for storing JWT in the browser.

The two most common options are to store it as a cookie or in localStorage.

If you store a JWT as localStorage in the browser how does it get sent back to the server as a part of a web request?

You will have to query for the token from localStorage and alter your request to include the token either as a header or parameter.

If you store a JWT as a cookie in the browser how does it get sent back to the server as a part of a web request?

Cookies are sent with every browser request, so this will be sent with each request the browser makes to the origin server (the server that rendered the html).

When it's said that the server signed the token, what does that mean?

This is the servers way of saying the data it is signing needs to be returned in its current form, otherwise when the server checks for the token for validity it will not pass inspection.

Describe the relationship between a browser client and application server that generated the JWT?

The client often store's the JWT in client side storage and passes the token back to the server on requests to verify that the user still has a valid session and has access to the resource they are requesting.

What is a refresh token and how can they be used with JWT's?

Since our JWT is an access token, the refresh token is an optional second token that can be used to issue a new access token when the current one expires. This can be useful to limit your exposure if an attacker is able to obtain a valid token.

What additional security benefit does JWE provide what JWT does not?

JWE adds encryption. This means that the data in the token cannot be read without a key that is only distributed to trusted systems to unlock it, allowing you to store more sensitive data than would be stored in a traditional JWT. Try decoding a JWT to see anyone can unlock it. Run atob("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9") in your developer tools. This is the header part of the example token on jwt.io.

If you are going to store private/sensitive data in a token what type of token would you use?

JWE because the data would be encrypted and unreadable by another party without your consent.

Why is it important to expire a JWT?

You want to expire a JWT so that a bad actor has a smaller time period to use a valid token as a means of authentication. An example could be one of your users is logged into your system and you store a JWT on their computer, then they step away from their computer and a few minutes later a bad actor sees the computer left alone and decides to perform unwanted actions without the users knowledge. If the token had expired then the user would not have been vulnerable to such an event.

How are refresh tokens used?

After a token has expired a client will send a post request to a different authorization server endpoint than they one that granted them the JWT, this endpoint might be called /renew. That post request will include the refresh token which the auth server will then make sure is valid and issue a new access token as a response.

When might you opt for session authorization over JWT when building an application?

If you are building a monolithic application where your application does not need to communicate with other servers in your system then it may make sense to use session storage mechanisms your backend technology provides for auth.

What is the difference between a public and private claim?

Consider the difference between a public API vs a private API. A public API is well documented and can be read by anyone, while a private API can only be read by the API team and those who are consuming it and that data is agreed upon in advance by the parties involved. The same can be said of claims, they differ in their level of exposure. Private claims can only be read by the parties that agree to them and public claims can be read by anyone.

What happens when a JWT is tampered with or altered?

It is invalidated. Since the tokens signature is generated from the contents of the header and payload any alterations made to either will cause the token to become corrupted.