Introduction to JSON Web Tokens (JWT)

The internet is a singular entity, and social media adds a layer of enjoyment, where even a simple smiley face can signify agreement or validation. Despite differing ideologies and the hidden agendas of some, the world feels smaller than ever.

Since Richard M. Sherman penned the iconic tune “It’s a Small World (After All),” advancements in technology have further shrunk our global interactions. While it took early humans generations to migrate from Africa to Europe, today, we can connect with friends across the world instantly through video calls. Our level of connectivity is unprecedented.

However, amidst the ease of online communication, we often overlook the complexities of the internet’s functioning. Transmitting data securely to the intended recipient has always been a challenge. So, how can we ensure our data remains safe?

In the field of web development and API security, JSON Web Tokens (JWTs) have gained popularity as a reliable means of securely exchanging information between parties, typically a client and a server. JWTs are small, URL-safe tokens that convey claims between these parties. Their simplicity, efficiency, and ease of integration into various authentication and authorization systems have made them a staple in modern web applications.

What is a JSON Web Token?

A JSON Web Token is a standardized method for securely transmitting information. The data contained in a JWT is formatted as a JSON object and is digitally signed using either a secret (via HMAC) or a public/private key pair (like RSA or ECDSA). This signature guarantees the integrity of the claims within the token, making it a trustworthy means of authentication.

Structure of a JWT

A JWT consists of three parts, each separated by a period (.):

1. Header: The header usually has two components: the type of token (JWT) and the signing algorithm employed (such as HMAC SHA256 or RSA). This is represented as a base64-encoded JSON object.

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload: The payload contains the claims, which are statements about an entity (typically a user) and may include additional information. JWTs support three types of claims: registered, public, and private. This section is also base64-encoded.

• Registered claims: These are predefined claims that are recommended but not mandatory, providing a set of useful claims. Examples include iss (issuer), exp (expiration time), and sub (subject).
• Public claims: These are user-defined claims that can be shared publicly, but care must be taken to avoid naming conflicts with other JWTs.
• Private claims: These are created for sharing information between parties that agree on their usage.

Example payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

3. Signature: The signature is generated by combining the encoded header, the encoded payload, a secret, and the specified algorithm from the header. This combination is then signed, resulting in the JWT signature. The signature verifies the sender of the JWT.

If HMAC SHA256 is the signing algorithm, the signature would appear as follows:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Example of a JWT

Here is an example of a complete JWT:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This token is a base64-encoded string, which, when decoded, reveals the header, payload, and signature.

How JWTs Work

The process of using JWTs in a typical application can be outlined in several steps:

1. Authentication: When a user logs in, the server checks the user’s credentials. If they are valid, the server creates a JWT that includes user-specific information (like user ID and roles) and sends it back to the client.
2. Storage: The client keeps the JWT (usually in local storage or a cookie) and includes it in the Authorization header using the Bearer schema for subsequent requests to the server.
3. Validation: When the server receives a request with a JWT, it verifies the token’s signature using the secret or public key. If the token is valid, the server processes the request; if it is invalid or expired, the request is denied.
4. Authorization: Based on the claims contained in the JWT, the server determines the user’s permissions and whether they can access the requested resources.

Benefits of Using JWT

Utilizing JWTs presents several benefits, especially regarding web and API security:

1. Compactness: JWTs are small, making them ideal for transmission via URL, HTTP headers, or form parameters, which enhances web application performance.
2. Self-contained: JWTs include all the necessary information about the user and other claims, minimizing the need for multiple database queries. This self-sufficiency simplifies scaling and boosts performance.
3. Stateless: Since JWTs are self-contained, they do not require the server to store session data, as all required information is embedded in the token. This is advantageous for horizontal scaling across servers.
4. Cross-domain: JWTs facilitate cross-domain authentication, allowing secure sharing between different domains. This is particularly useful in microservices architectures where various services need to authenticate users or APIs.
5. Interoperability: JWTs are standardised and widely supported across various programming languages and platforms. It makes them easy to integrate into different applications and services.

Security Considerations

While JWTs provide a practical and efficient method for authentication and authorization, several security aspects must be considered:

1. Secret Management: When a JWT is signed with a secret key (HMAC), the security of the token greatly depends on the secrecy of this key. It should be long, randomly generated, and securely stored. If an attacker accesses the secret key, they can create valid tokens.
2. Expiration Time: JWTs should always include an expiration time (exp claim) to limit their validity duration. Without this, a token could be reused indefinitely, posing a security risk if compromised.
3. Revocation: Once issued, JWTs are difficult to revoke due to their stateless nature. This complicates invalidating a token if a user logs out or an account is compromised. To mitigate this, short expiration times combined with a refresh token strategy are often employed.
4. Algorithm Flexibility: The ability of JWTs to use various signing algorithms can be both beneficial and risky. It’s essential to enforce secure algorithms like RS256 or HS256 and avoid weaker options that could introduce vulnerabilities.
5. Audience Validation: Ensure that the JWT is intended for your server by validating the aud (audience) claim. This prevents tokens meant for other applications from being accepted by your application. By confirming the audience, you can enhance security and ensure that the token is used only in the context for which it was issued.

Use Cases for JWTs

JWTs are versatile and applicable in various scenarios, particularly in modern web development:

1. Authentication: JWTs are frequently used for authentication, where user credentials are verified, and a JWT is issued to confirm their identity in future interactions with the server.
2. Authorization: JWTs also play a crucial role in authorization, containing information about the user’s permissions and roles. This allows the server to determine what actions the user is permitted to perform.
3. Single Sign-On (SSO): In Single Sign-On systems, JWTs enable users to authenticate across multiple applications or domains with a single set of credentials. Thus helps improving both user experience and security.
4. API Gateway: In microservices architectures, JWTs are often utilized alongside an API gateway to secure communication between various services. It helps ensuring that only authenticated and authorized requests are processed.
5. Secure Data Transmission: JWTs can be employed to securely transmit data between parties, ensuring that the data remains untampered during transit.

Conclusion

JSON Web Tokens (JWTs) have established themselves as a fundamental component of modern web application security. They provide a compact, self-contained, and stateless mechanism for securely transmitting information between parties. Their flexibility, efficiency, and ease of integration make them an ideal choice for a broad array of applications, from user authentication to API security.

However, while JWTs offer numerous advantages, careful implementation is essential. Developers must remain mindful of various security considerations, including secret management, token expiration, and audience validation. By adhering to best practices in these areas, developers can effectively leverage JWTs to create secure, scalable, and efficient web applications.

In an increasingly interconnected world, understanding and utilizing JWTs can empower developers to build robust systems. This would safeguard user data and enhance the overall security of web applications. As technology continues to evolve, JWTs will likely remain a vital tool in the toolkit of web developers and security professionals alike.

If you would like to read about everything about cookie bomb vulnerability & how you can avoid that, read this article.