JWT - Technological watch
Introduction
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWTs are widely used for authentication and information exchange in web applications.
Authentication with session token
In the traditional session token approach, when a user logs in, the server generates a unique session identifier, which is stored either in-memory or on a database. This identifier is then sent to the client, usually as a cookie. On subsequent requests, the client sends this token back to the server, allowing the server to validate the user’s session.
Loading graph...
One session token can look like:
Session Token: 5e55a5455bec31b1c3a4e8fe2997419eNote: a session token is a unique identifier sent to the user after successful authentication. It allows the user to access their session, with all session data stored server-side.
While session tokens work reasonably well for simple applications. But one significant issue is the reliance on database queries to validate the token. For every request, the server must look up the session token in the database to check its validity and retrieve relevant user information. As traffic grows, the database can become a bottleneck, leading to performance issues and scalability challenges.
Let’s use JWT
JSON Web Tokens (JWTs) provide an alternative to traditional session tokens, eliminating the database bottleneck. How do they work? A JWT is sent to the client and contains data such as the user’s email, name, and application permissions. To ensure the data isn’t modified by the client, the token is signed with a “signature” that guarantees its integrity.
Loading graph...
Note: unlike session tokens, which store data server-side, JWTs store data client-side. To ensure the data isn’t modified by the client, JWTs include a security mechanism that checks if the hash of the data matches the security key.
This means the server doesn’t need to query the database to find user information. It only needs to verify that the JWT is valid and hasn’t been tampered with.
You can play with JWT with this website : https://jwt.io/.
Structure of a JWT
A JWT Token can look like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsZXgiLCJwZXJtaXNzaW9ucyI6WyJkZXZlbG9wZXIiXSwiaWF0IjoxMjM0NTY3ODkwfQ.Kr-Afzzs-u8cbrmSixS__6O85AeQeflMWJPC6rUyEDUWe can split this token in 3 parts (separated by a .).
The header
The first part of a JWT can look like this :
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
// Base 64 decoded{ "alg": "HS256", "typ": "JWT"}This part gives information about the JWT.
The content
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsZXgiLCJwZXJtaXNzaW9ucyI6WyJkZXZlbG9wZXIiXSwiaWF0IjoxMjM0NTY3ODkwfQ
// Base 64 decoded{ "sub": "1234567890", "name": "Alex", "permissions": ["developer"], "iat": 1234567890}This second part represent the encoded data inside the token.
Note: you may find some common key names. They are named accordingly to the RFC:
- iss: Token creator (issuer)
- sub: Token subject (subject)
- aud: Token audience
- exp: Token expiration date
- nbf: Token not before date
- iat: Token issued at date
- jti: Unique identifier of the token (JWT ID)
The secret key
Kr-Afzzs-u8cbrmSixS__6O85AeQeflMWJPC6rUyEDUThe role of this last part assure that the JWT isn’t modified.
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), super_secret_key)If the token and the secret key do not correspond, the JWT is deemed invalid or has been altered by the user.
It is essential that the super_secret_key remains undisclosed to the user, as any knowledge of it could compromise the system’s security.
Pros
-
Reduced database queries: Without the reliance on database queries for each request, JWTs reduce the server’s processing overhead and improve response times, enhancing overall system performance.
-
Statelessness: JWTs are self-contained, meaning all necessary information is within the token itself. This eliminates the need for server-side storage or database lookups, making JWTs inherently stateless and highly scalable.
-
Interoperability: JWTs are language and platform-agnostic, allowing them to be easily used across different services, APIs, and microservices. (https://jwt.io/libraries)
Cons
-
Token Size: While JWTs are efficient, the inclusion of user information directly within the token can lead to larger token sizes compared to session tokens, especially when carrying extensive claims.
-
Security Concerns: Compromising the secret key can lead to unauthorized access to user information. It is crucial to store and manage the secret key securely.
-
Limited Control Over Tokens: Unlike session tokens, once a JWT is issued, its validity cannot be revoked or modified without resorting to additional techniques like token blacklisting.
Atomic design - Technological watch
Learn what is the atomic design in less than 5 minutes !
Redis - Technological watch
Learn what is Redis in less than 5 minutes !
Svelte - Technological watch
Learn what is Svelte in less than 5 minutes !
Jenkins - Technological watch
Learn what is Jenkins in less than 5 minutes !
PicoCSS - Technological watch
Learn what is PicoCSS in less than 5 minutes !
OpenAPI / Swagger - Technological watch
Learn what is OpenAPI / Swagger in less than 5 minutes !
HashiCorp Vault - Technological watch
Learn what is HashiCorp Vault in less than 5 minutes !
RabbitMQ - Technological watch
Learn what is RabbitMQ in less than 5 minutes !