JWT is an open standard (RFC 7519: https://tools.ietf.org/html/rfc7519) and it is represented as a JSON object that is shared safely between two parties. A JWT is a compact set of information, meaning that it's small in size. It consists of three parts: a header, a payload, and a signature. These parts get encoded and then concatenated with a dot as header.payload.signature to form the token. Since tokens are small in size, they can be either sent as an HTTP POST parameter or can be added as an HTTP header field itself. Small sizing will also enable a faster mode of communication.
Let's continue with the anatomy of JWT by detailing its aforementioned subparts: header, payload, and signature. The header defines the type and the hashing algorithm for the signature. Here is an example:
{
"typ": "JWT",
"alg": "HS256"
}
In the example, the type is defined as JWT and the hashing algorithm is set to HMAC-SHA256. It could alternatively be set as RSA, where a public/private key pair would be used to create the signature. The payload is the actual content, and it will usually be a bunch of claims that point to the information that is being transmitted. Here is an example of the payload that contains a user identification value:
{
"userId": "6562ce85-7fce-4f02-a68c-17f37609d2aa"
}
A standard set of JWT claims are provided by default; they are not mandatory but their names are reserved, as follows:
- aud: The audience of the token
- exp: The expiration date of the token
- iss: The issuer of the token
- sub: The subject of the token
- nbf: Defines the time on which the JWT will start to be accepted for processing
- iat: The time the token was issued
- jti: The unique identifier for the JWT to prevent replay attacks
The pseudo code snippet given here demonstrates how a signature gets created, with the encoding first and then the hashing:
data = base64urlEncode(header) + “.” + base64urlEncode(payload)
signature = hash(data, "secret");
The hashing algorithm uses a key, which is set as secret in our case, to compute the signature.