How a JWT works?

 

In previous blog, we have learnt What is JWT, Anatomy and its authentication flow. Refer here to

In this blog, we will see how a JWT works via an example. We will create JWT for a specific JSON payload and validate its signature.

Step-1

 Create a JSON:

JSON payload example:

{

    "userId": "abcd123",

    "expiry": 1646635611301

}

Step-2

 Create a JWT signing key and decide the signing algorithm:

We can generate a signing key using any secure random source.

• Signing key: 
• NTNv7j0TuYARvmNMmWXo6fKvM4o6nv/aUi9ryX38ZH+L1bkrnD1ObOQ8JAUmHCBq7Iy7otZcyAagBLHVKvvYaIpmMuxmARQ97jUVG16Jkpkp1wXOPsrF9zwew6TpczyHkHgX5EuLg2MeBuiT/qJACs1J0apruOOJCg/gOtkjB4c=
• Signing algorithm: HMAC + SHA256, also known as HS256.

Step-3

Creating the “Header”:

This contains the information about which signing algorithm is used

{

    "typ": "JWT",

    "alg": "HS256"

}

Step-4

Create a Signature:

• First, we remove all the spaces from the payload JSON : {"userId":"abcd123","expiry":1646635611301}

• and then base64 encode it to give us eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ

• 
  
  
  

• You can try pasting this string in an https://www.base64decode.org/ to retrieve our JSON.

• Similarly, remove the spaces from the header JSON and base64 encode it

Header json: {"typ":"JWT","alg":"HS256"}

base64 encoded value: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9

Now  concatenate <header>.<payload>

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ

Get the Signature:

run the Base64 + HMACSHA256 function on the above concatenated string

Base64URLSafe(

    HMACSHA256("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ", "NTNv7j0TuYARvmNMmWXo6fKvM4o6nv/aUi9ryX38ZH+L1bkrnD1ObOQ8JAUmHCBq7Iy7otZcyAagBLHVKvvYaIpmMuxmARQ97jUVG16Jkpkp1wXOPsrF9zwew6TpczyHkHgX5EuLg2MeBuiT/qJACs1J0apruOOJCg/gOtkjB4c=")

)

Results in:

3Thp81rDFrKXr3WrY1MyMnNK8kKoZBX9lg-JwFznR-M

Java code:

Java HMAC SHA256

Dependent on Apache Commons Codec to encode in base64.

import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;

public class ApiSecurityExample {
  public static void main(String[] args) {
    try {
     String secret = "secret";
     String message = "Message";

     Mac sha256_HMAC = Mac.getInstance("HmacSHA256");
     SecretKeySpec secret_key = new SecretKeySpec(secret.getBytes(), "HmacSHA256");
     sha256_HMAC.init(secret_key);

     String hash = Base64.encodeBase64String(sha256_HMAC.doFinal(message.getBytes()));
     System.out.println(hash);
    }
    catch (Exception e){
     System.out.println("Error");
    }
   }
}

Create JWT:


Append the generated signature like <header>.<body>.<signature>

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ.3Thp81rDFrKXr3WrY1MyMnNK8kKoZBX9lg-JwFznR-M

Verify JWT:

The authentication server will send the JWT back to the client’s frontend. 

The frontend will attach the JWT to network requests to the client’s api layer. 

At api layer, below steps are followed:

• Fetches the header part of the JWT (eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9).

base64 decoding on it to get the plain text JSON: {"typ":"JWT","alg":"HS256"}

• Verifies that the typ field’s value is JWT and the alg is HS256. It would reject the JWT if fails to verify.

Fetches signing secret key and runs the same Base64URLSafe(HMACSHA256(...))

If the incoming JWT’s body is different, this step will generate a different signature.

• Checks that the generated signature is the same as the signature from the incoming JWT. If it’s not, then the JWT is rejected.

base64 decode the body of the JWT (eyJ1c2VySWQiOiJhYmNkMTIzIiwiZXhwaXJ5IjoxNjQ2NjM1NjExMzAxfQ) to give us {"userId":"abcd123","expiry":1646635611301}.

If the current time (in milliseconds) is greater than the JSON’s expiry time (since the JWT is expired), JWT is rejected.

Accept the JWT if it approves all above steps.

Pros & Cons of JWT:

Advantages:

• Secure: JWTs are digitally signed using either a secret (HMAC) or a public/private key pair (RSA or ECDSA) which safeguards them from being modified by the client or an attacker.

Efficient / Stateless: It’s quick to verify a JWT since it doesn’t require a database lookup. 

• Stored only on the client: You generate JWTs on the server and send them to the client. The client then submits the JWT with every request. This saves database space.

Drawbacks:

Dependent on one secret key: The creation of a JWT depends on one secret key. If that key is compromised, the attacker can fabricate their own JWT which the API layer will accept.

Happy Coding!

What is JSON Web Tokens (JWT) and how to use?

 

Introduction:

Web authentication relied on cookies or sessions to authenticate users to web applications. These methods were good but had some drawbacks :

• Scalability, 
• Storage limitations, 
• Difficulty in integrating with third-party services

JWT solved these issues by providing a simple, secure, and flexible way to authenticate users in web applications. Lets discuss first what is JWT?

As per https://jwt.io/

"JSON Web Tokens(JWT) are an open, industry standard RFC 7519 method for representing claims securely between two parties."

It is self-contained method for securely transmitting information between parties as a JSON object. JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be certain that the senders are who they say they are.

Anatomy of a JWT:

A JSON Web Token is essentially a long encoded text string. This string is composed of three smaller parts, separated by a dot sign. These parts are:

• Header
• Payload/Body
• Signature

Anatomy of JWT

Header:

The header contains metadata about the token. It has 2 parts:

type- JWT  

algo-  cryptographic algorithm used to sign it.

{ "alg": "HS256", "typ": "JWT" }

Encoing format: encoded in Base64Url format.

Payload:

The payload contains the claims or information about the user. Claims are statements about an entity (typically, the user) and additional data.

{

  "sub": "1234567890",

  "name": "John Doe",

  "iat": 1516239022

}

Encoing format: encoded in Base64Url format.

Signature:

The signature is used to verify the integrity of the message and to ensure that it has not been tampered with. The signature is created by encoding the header and payload, concatenating them with a dot, and then signing the resulting string with a secret key using a cryptographic algorithm such as HMAC or RSA.

JWT Structure

JWT: <header>.<body>.<signature>

JWT claim Convention:

You may have noticed that in the JWT (that is issued by Google) example above, the JSON payload has non-obvious field names. They use sub, iat, aud and so on:

• iss: The issuer of the token (in this case Google)
• azp and aud: Client IDs issued by Google for your application. This way, Google knows which website is trying to use its sign in service, and the website knows that the JWT was issued specifically for them.
• sub: The end user’s Google user ID
• at_hash: The hash of the access token. The OAuth access token is different from the JWT in the sense that it’s an opaque token. The access token’s purpose is so that the client application can query Google to ask for more information about the signed in user.
• email: The end user’s email ID
• email_verified: Whether or not the user has verified their email.
• iat: The time (in milliseconds since epoch) the JWT was created
• exp: The time (in milliseconds since epoch) the JWT was created
• nonce: Can be used by the client application to prevent replay attacks.
• hd: The hosted G Suite domain of the user

JWT Authentication Flow:

JWT Authentication Flow

Why we need JWT?

• Secure: JWT is cryptographically signed, making it difficult to tamper with the token.
• Stateless: JWT is stateless, meaning the server does not need to keep track of the user’s session. This makes it more scalable and less storage-intensive.
• Third-party Integration: JWT can be easily integrated with third-party services like OAuth and OpenID Connect.
• Cross-Domain: JWT can be used for cross-domain authentication because it can be sent as a HTTP Authorization header.

How do they work (using an example) ? Refer here

Happy coding!