JSON Web Token (JWT)
JSON Web Tokens (JWT)
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties.
JWT are widely uses in Authentication and Information Exchange.
Authentication: Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.
Information Exchange: Using JWT to securely transmitting information between parties, because JWT tokencan be signed. For example using a RSA public/private key pair, issue a siged JWT with private key, and verify the signed JWT with public key.
JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
JWTs consist of three parts separated by dots (.), which are:
Header
Payload
Signature
For example, a JWT will be looks like {header}.{payload}.{signature}
Header
The header consists of two parts:
hashing algorithm such as HMAC SHA256 or RSA.
token type
SHA256 Example
{
"alg": "HS256",
"typ": "JWT"
}RSA Example
{
"alg": "RS256",
"typ": "JWT"
}Payload
{
"sub": "1234567890",
"name": "John Doe",
"admin": true
}Standard Payload Claims
These are some Registered Claim Names of the JSON Web Token. These claims is not mandatory but useful at starting point:
iss: The issuer of the token
sub: The subject of the token
aud: The audience of the token
exp: JWT expiration time defined in Unix time
nbf: "Not before" time that identifies the time before which the JWT must not be accepted for processing
iat: “Issued at” time, in Unix time, at which the token was issued
jti: JWT ID claim provides a unique identifier for the JWT
Signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
secret)Security
It is critical to use TLS/SSL in conjunction with JWT, to prevent man-in-the-middle attacks. In most cases, this will be sufficient to encrypt the JWT payload if it contains sensitive information. You can also encryot the JWT playload using the JWE specification for addition layer of protection.
Generate RSA Public/Private Key Pair
Command to generate key pairs with ssh-keygen in Windows
# Generate a private key without passphrase prompted by setting -P ""
ssh-keygen -t rsa -P "" -b 2048 -m PEM -f jwtRS256.key
# Derive the public key from the private key
ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub
# Rename keys
ren jwtRS256.key ecs-rs256-private.pem & ren jwtRS256.key.pub ecs-rs256-public.pemExample in c:\temp\ directory
C:\temp>ssh-keygen -t rsa -P "" -b 2048 -m PEM -f jwtRS256.key
Generating public/private rsa key pair.
Your identification has been saved in jwtRS256.key.
Your public key has been saved in jwtRS256.key.pub.
The key fingerprint is:
SHA256:rDyQnQKz0+lkXLz1I32Bn05AoLnVmKQ1Z7BAYiJtOlA user@localhost
The key's randomart image is:
+---[RSA 2048]----+
|.o o. *o+ |
|..oo o X . |
|.oo * + . |
|o * = B o o o |
| .o = S + |
| = + . = |
| . + . |
| . |
| |
+----[SHA256]-----+
C:\temp>ssh-keygen -e -m PEM -f jwtRS256.key > jwtRS256.key.pub
C:\temp>ren jwtRS256.key ecs-rs256-private.pem & ren jwtRS256.key.pub ecs-rs256-public.pem
C:\temp>dir
Directory of C:\temp
10/05/2019 02:37 PM 1,679 ecs-rs256-private.pem
10/05/2019 02:37 PM 434 ecs-rs256-public.pemGenerate public/private key pair with openssl
# generate private key
openssl genrsa -out private.pem 2048
# extatract public key from it
openssl rsa -in private.pem -pubout > public.pemReference
Last updated
Was this helpful?