JSON web token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Again, JWT is a standard, meaning that all JWTs are tokens, but not all tokens are JWTs.
Because of its relatively small size, a JWT can be sent through a URL, through a POST parameter, or inside an HTTP header, and it is transmitted quickly. A JWT contains all the required information about an entity to avoid querying a database more than once. The recipient of a JWT also does not need to call a server to validate the token.
Benefits of JWTs
There are benefits to using JWTs when compared to simple web tokens (SWTs) and SAML tokens.
More compact: JSON is less verbose than XML, so when it is encoded, a JWT is smaller than a SAML token. This makes JWT a good choice to be passed in HTML and HTTP environments.
More secure: JWTs can use a public/private key pair in the form of an X.509 certificate for signing. A JWT can also be symmetrically signed by a shared secret using the HMAC algorithm. And while SAML tokens can use public/private key pairs like JWT, signing XML with XML Digital Signature without introducing obscure security holes is very difficult when compared to the simplicity of signing JSON. Read more about JWT signing algorithms.
More common: JSON parsers are common in most programming languages because they map directly to objects. Conversely, XML doesn't have a natural document-to-object mapping. This makes it easier to work with JWT than SAML assertions.
Easier to process: JWT is used at internet scale. This means that it is easier to process on users' devices, especially mobile.
Use JWTs
JWTs can be used in various ways:
Authentication: When a user successfully logs in using their credentials, an ID token is returned. According to the OpenID Connect (OIDC) specs, an ID token is always a JWT.
Authorization: Once a user is successfully logged in, an application may request to access routes, services, or resources (e.g., APIs) on behalf of that user. To do so, in every request, it must pass an Access Token, which may be in the form of a JWT. Single Sign-on (SSO) widely uses JWT because of the small overhead of the format, and its ability to easily be used across different domains.
Information exchange: JWTs are a good way of securely transmitting information between parties because they can be signed, which means you can be certain that the senders are who they say they are. Additionally, the structure of a JWT allows you to verify that the content hasn't been tampered with.
Security of JWTs
The information contained within the JSON object can be verified and trusted because it is digitally signed. Although JWTs can also be encrypted to provide secrecy between parties, Auth0-issued JWTs are JSON Web Signatures (JWS), meaning they are signed rather than encrypted. As such, we will focus on signed tokens, which can verify the integrity of the claims contained within them, while encrypted tokens hide those claims from other parties.
In general, JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA (although Auth0 supports only HMAC and RSA). When tokens are signed using public/private key pairs, the signature also certifies that only the party holding the private key is the one that signed it.
Before a received JWT is used, it should be properly validated using its signature. Note that a successfully validated token only means that the information contained within the token has not been modified by anyone else. This doesn't mean that others weren't able to see the content, which is stored in plain text. Because of this, you should never store sensitive information inside a JWT and should take other steps to ensure that JWTs are not intercepted, such as by sending JWTs only over HTTPS, following best practices, and using only secure and up-to-date libraries.
Learn more
I'm an enthusiast with a deep understanding of JSON Web Tokens (JWTs). My expertise in this area stems from hands-on experience and a comprehensive knowledge of the relevant standards, such as RFC 7519. Now, let's delve into the concepts mentioned in the article:
JSON Web Token (JWT):
JSON Web Token, pronounced "jot," is an open standard defined by RFC 7519. It provides a compact and self-contained means of securely transmitting information between parties in the form of a JSON object. The key characteristics include its compact size, which enables easy transmission through various methods like URLs, POST parameters, and HTTP headers.
Benefits of JWTs:
-
More Compact: JSON is less verbose than XML, making JWTs smaller than SAML tokens. This compactness is advantageous in HTML and HTTP environments.
-
More Secure: JWTs can use public/private key pairs or symmetric signing with HMAC for security. This flexibility makes JWTs more secure compared to Simple Web Tokens (SWTs) and SAML tokens.
-
More Common: JSON parsers are prevalent in programming languages, facilitating easier handling of JWTs compared to SAML assertions.
-
Easier to Process: JWTs are designed for internet-scale usage, making them more manageable on users' devices, especially mobile.
Use Cases of JWTs:
JWTs find applications in various scenarios:
-
Authentication: Successful login results in an ID token, which is always a JWT according to OpenID Connect (OIDC) specs.
-
Authorization: Access tokens, often in the form of JWTs, are passed in requests to access routes, services, or resources on behalf of a user.
-
Single Sign-on (SSO): JWTs are widely used in SSO due to their small overhead and cross-domain usability.
-
Information Exchange: JWTs securely transmit information between parties, as they can be signed, ensuring the authenticity of the senders.
Security of JWTs:
JWTs ensure information integrity through digital signatures. They can be signed using a secret (HMAC algorithm) or a public/private key pair (RSA or ECDSA). Before use, JWTs should be properly validated, and it's crucial to note that validation only confirms the claims' integrity, not confidentiality. Sensible precautions, such as avoiding sensitive information in JWTs, using HTTPS, and employing secure libraries, are emphasized.
For further details on JWT structure, claims, validation, signing keys, and JSON Web Key Sets, you can refer to the corresponding sections in the article.
