JWT - JSON Web Token

Lukas Gamper, uSystems GmbH

What is a JWT?

JSON Web Token (JWT) defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

This information can be verified and trusted because it is digitally signed.

When using JWT's?

  • Authorization: Once the user is logged in, each subsequent request will include the JWT.

  • Information Exchange: JSON Web Tokens are a good way of securely transmitting information, because JWTs are signed

JWT's structure

  • Header
  • Payload
  • Signature
xxxxx.yyyyy.zzzzz

Header

  • the type of the token (always JWT)
  • signing algorithm being (here HMAC SHA256)
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

Claim types:

  • registered: predefined claims, not mandatyor.
    E.g iss (issuer), exp (expiration time), sub (subject), aud(audience)
  • public: free, but should be registred in IANA JSON Web Token Registry
  • private: custom claims that are neither registered nor publicclaims.
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true
}

Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Thanks

Made with Slides.com