Understanding JSON Web Tokens (JWT) in Web Development
JSON Web Tokens (JWT) are a simple and commonly used type of token that is self-contained, meaning the data is stored within the token itself. They consist of three parts: Header, Payload, and Signature. JWTs are signed by the server using a secret key, allowing clients to read the data without being able to modify it. This technology provides a secure way to transmit information between parties in a web application. Claim names play a vital role in organizing and identifying the data within JWTs.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
JSON WEB TOKENS Peter Larsson-Green J nk ping University Autumn 2018
JSON WEB TOKENS A simple and commonly used type of token. Specification: https://tools.ietf.org/html/rfc7519 Abbreviated JWT (announced jot). Is Self-Contained. The data is stored in the token (nothing is stored on the server). The client can read the data, but not change it. The server "signs" the data by hashing it with a secret (the hash is part of the token). The data is stored in JSON format.
JSON WEB TOKENS Same as "alg" in the header! Consists of three parts. Header Payload Signature HMACSHA256( base64UrlEncode(header) +"."+ base64UrlEncode(payload), "server-secret" ) { { "alg": "HS256", "typ": "JWT" "exp": 1472840818, "name": "Betty", "admin": true } } base64UrlEncode( ) base64UrlEncode( ) aaaaaaaaaaaaaa.bbbbbbbbbbbbbbbb.ccccccccccccccc
EXAMPLE Playground: https://jwt.io
CLAIM NAMES The payload/data in the token consists of claims (key-value pairs). Some Registered Claim Names: iss - Issuer, identifies the one creating the token. sub - Subject, identifies the user accepting the token to be created. aud - Audience, identifies the client the token is intended for. iat - Issued At, timestamp for when the token was created. exp - Expired, timestamp for when the token expires. Public Claim Names: Add to IANA JSON Web Token Registry. Use a URI as name (your own domain). Private Claim Names: Use any name you want (can collide with names others use).