So, after a long gap from blogs. Got boredom over the routine things and decided to make a gap.
What is JWT?
Back to the title What is JWT? JWT is the abbreviated form of JSON WEB TOKEN. The JSON in the name represents that the data transmitted are in JSON format. JSON is one of the popular ways of transferring data over the internet by text.
The structure of the JWT comprises 3 parts separated by 3 dots.
- Header
- Payload
- Signature
Header:
The header part basically consists of 2 parts: the type of token and the hashing algorithm used in JSON format.
Payload:
The Payload part contains the data that is to be transferred over the internet in JSON format
Signature:
The signature part is made up of the above two parts. The signature part is created by the base64UrlEncode header and payload. The encoded part is feed through the hashing algorithm which is mentioned in the header and it’s hashed with a secret key. The process would be like
HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload),secret)Scenario:
One fine day, I was on to create a mobile application and that mobile app is dependent on the backend server which I wish to create using Django because of its security features and robustness. While going through the authorization process I surfed over the internet and got a hit over the concept of JWT.
Later on, after learning some features and functionality of JWT. I saw this website jwt.io and there is a demo encoded JWT which is here.
So, I thought to decode this JWT in some other websites, I was shocked that many websites said it’s secure and how come it’s decoded in some other website while it’s still encoded by jwt.io and I was like WTF bro!
Whoever holds the token can view the data that is transmitted by decoding it. Let me give you a token so you could try it on.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJibG9nX3RpdGxlIjoiV2hhdCBpcyBKV1Q_IiwiY29udGVudCI6InRlc3QgcHVycG9zZSIsImlhdCI6MTUxNjIzOTAyMn0.QIgAeESZjerCyRjPS24M6dCup02d1VTcqzIS_0ND2KsJust paste this token in jwt.io. So you can see the blog title and content as test purpose in JSON format in payload part. Now can also be like WTF bro!
But still, it is a secure method to transfer data over the internet. I can hear you…
Why it’s secure?
Let me explain it. JWT becomes one of the secure methods because the most vital part is the signature part where all your data and header are encoded and hashed with the secret key. The secret key 🔑 can also be a public or private key or also symmetric key. You can also sign the token with public/private key pairs.
Since you can’t exchange potentially sensitive information because it can be decoded by the person whoever has the token. The main focus of the token is Authorization and Information exchange. The authenticity of the data exchanged can be verified by the signature that we used.
In this scenario just think we used a symmetric key to sign the token. So, the server exchange some information with the user/client. The client or user can verify the token’s authenticity by verifying the signature that is used to sign the token.
For you, can verify the token’s authenticity click this link or just copy and paste the below token in some JWT decoders
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJibG9nX3RpdGxlIjoiV2hhdCBpcyBKV1Q_IiwiY29udGVudCI6InRlc3QgcHVycG9zZSIsImlhdCI6MTUxNjIzOTAyMn0.ER18gaZjZBIgUAQmShtrC20Xsavdz8A-LOMpys9FK1cWhen you paste this token or if you visited the website might say that the signature is not verified. What this represents is that signature couldn’t be verified by that means your client or server ignore the request that the token can’t be verified or in other words, the token’s not from the right place.
Now we’re going to verify the token’s authenticity and the key is
(H+MbQeThWmZq4t7w!z%C&F)J@NcRfUjPaste this in place of the secret key and the website might say that the signature is verified. By this way, we can verify the authenticity of the data thereby bypassing the data tampering issue. Nowadays there are many packages that can do the work for you from python 🐍 , flutter, Java, etc.
That’s it with the JWT process for deep concepts you can visit auth0 or JWT’ss official page for the deep concepts.
