5/25/19

JSON Web Token

Oscar Garcia @ozkary 5/25/2019 json , jwt , security , web No comments

A JSON Web Token (JWT) is commonly used to package information that grants users with claims to a system. This includes user information and permissions to a resource. The token is often exchange between the server and client view header information.

JSON Web Token Format:

A JWT token consists of three main segments

Header
Payload with claims
Signature

These three segments are encoded using Base64, then concatenated with periods as separators.
The header segment provides information on the token type and algorithm
The payload segment contains an expiration date and the claims associated to the user

The claims provide information about the user and permissions

The signature is used to verify the token
The token is NOT encrypted so anyone with it can read all the properties
The token is signed by the server so if any of the values are changed, the server will reject it

Decoding a Token:

The image below shows a token with the base64 string on the left, and the the three decoded segments on the right.

What is a Claim?

Claims are statements about a subject

User information like name, email, address
Organization departments, groups
Roles or permissions to areas of a system
Contain claims groups for an application to enable button, menus, routes

Claims are issued by a provider (Security Token Service - STS)

Packaged in a security token
Applications use this token and parse the claims

Claims are mapped to areas of the application to enable the permissions

Authorization Header

The token is exchanged between the server and client as an authorization header. The server sends the base64 string. The client needs to process this information, and when the client application needs to send a request to the server, it must add the Authorization Bearer header as shown below. This is what enables the access to the application.

This is just an overview of what a security token is and its purpose. There are other areas to learn about how to decode and apply those claims to secure the different areas of an application.

Thanks for reading.

Originally published by ozkary.com

Oscar Garcia @ozkary

Oscar Garcia is a Principal Software Architect and VP of product development. He is a Microsoft MVP and certified solutions' developer with many years of experience building software solutions. He specializes in building cloud solutions using technologies like GCP, AWS, Azure, ASP.NET, NodeJS, Angular, React, SharePoint, Microsoft 365, Firebase as well as BI projects for data visualization using tools like Tableau and PowerBI, Spark. You can follow Oscar on Twitter @ozkary or his blog at ozkary.com VP of Product Development 5 consecutive Microsoft Most Valuable Professional (MVP).

Ozkary - Emerging Technologies

I am Oscar Garcia, Ozkary^TM. I author this site, speak at conferences and events, contribute to OSS, mentor people. I use this blog to post ideas and experiences about software development, with the goal to both learn from and help the technology communities around the world.

5/25/19