great place to work

JSON Web Token Authentication

Share

JSON Web Token

JWT (JSON Web Token) is the secure one among the other predecessor token-based authentication methods like Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML). JSON is less lengthy than XML, and on encoding the size gets smaller which makes it compact compared to the others. It provides integrity and is URL safe. It is a standard to create tokens for applications to uniquely identify and authenticate the users.

JWS (JSON Web Signature) and JWE (JSON Web Encryption) are two different types/instances of JWT itself when they follow JWS/JWE Compact Serialization method. The claims of the JWT are serialized using either JWE or JWS.

How Authentication Works using JWT

When the user enters the credentials and tries to log in, a call will be initiated to AUTH server where it generates a token using the secret key and user information and returns the token back to user. The user, on all subsequent requests, will pass the token on header or cookie. The receiver will have the same secret key and will decode it. Based on the comparison against database and successful authentication, data is returned back to the user.

JSON Web Token (JWT)

JWT tokens are used to uniquely identify and authenticate the user when they make interactions with the server through APIs. It is a JSON object which has 3 parts separated using ‘.’ Operator. All three parts are base64 encoded.

  • Header – It consists of details regarding the algorithm used for hashing the signature and type of token.
  • Payload – It consists of user related data (i.e., User id, name, email etc.)
  • Signature – It consists of ‘base64 encoded(header).base64 encoded(payload)’ which is hashed with a secret key using an algorithm mentioned in the header. It is very difficult to crack.

So, the token structure will be:

base64 encoded(header)’.’base64 encoded(payload)’.’base64 encoded(signature)

JSON Web Signature (JWS) Token

This is the signed JWT token which follows JWS Compact Serialization method. It is secured with digital signature/Message Authenticated Codes (MACs) using JSON data structures and base 64 encoding. There are two ways to implement JWS.

  • JWS Compact Serialization – It gives digitally signed content as a compact, URL safe string. There will be only single signature in a payload.
  • JWS JSON Serialization – It gives digitally signed content as a JSON object. It is neither optimized and URL safe. It can have multiple JOSE(JSON Object Signing and Encryption) Headers and Signatures in a single JSON payload.

JWS Compact Serialization is more secure than JWS JSON Serialization.

JWS Compact Serialization generates a token which has 3 parts each separated by a ‘.’ Operator.

  • JOSE Header – It is a union of JWS Protected and Unprotected Header. It is a JSON object which has type of token and algorithm used for hashing the signature.
  • JWS Payload – It consists of signed user data. The value will be the base64 URL encoded (JWS payload)
  • JWS Signature – It is the base64 URL encoded (UTF8(JOSE header)). base64 URL encoded (JWS Payload) which is hashed with a secret key using an algorithm mentioned in the header.

So, the token structure will be:

base64 URL encoded (UTF8(JOSE header))’.’ base64 URL encoded (JWS Payload)’.’base64 URL encoded (JWS Signature)

JSON Web Encryption (JWE) Token

This is the encrypted JWT Token which follows JWE Compact Serialization method which hides and protects the data from other parties and thus making the token secure. There are two ways to implement JWE.

  • JWE Compact Serialization – It provides an optimized URL safe Serialization
  • JWE JSON Serialization – It provides the token in JSON format which has multiple recipients in the same JSON payload which makes it unsafe.

JWE Compact Serialization is more secure than JWE JSON Serialization.

JWE Compact Serialization generates a token which has 5 parts each separated by a ‘.’ Operator.

  • JWE Protected Header – It mainly consists of 4 fields namely,
  • Alg: – It mentions the algorithm used to encrypt the Content Encryption Key (CEK)
  • Enc: – It mentions the encryption algorithm used to encrypt the payload/claims
  • Kid: – It references the public key used to encrypt the data
  • Typ: – It refers to the type of token
  • JWE Encrypted Key – It is a symmetric key which is also known as Content Encryption Key (CEK) used to encrypt the claims data. It also gets encrypted using a public key(kid) by the algorithm mentioned in the header(alg). This process is known as key wrapping.
  • JWE Initialization Vector – It is used while encrypting the data and is an optional parameter.
  • JWE Cipher Text – It is a byte array which contains the encrypted version of data.
  • JWE Authentication Tag – As a result of encryption we will receive an authentication tag which will be used during decryption to maintain the integrity.

So, the token structure will be:

base64 URL encoded (UTF8(JWE Protected Header)) ‘.’base64 URL encoded (JWE Encrypted Key) ‘.’base64 URL encoded (JWE Initialization Vector) ‘.’base64 URL encoded (JWE Ciphertext) ‘.’base64 URL encoded (JWE Authentication Tag)

Key Features of JWS & JWE

  • Contents of JWS are signed whereas contents of JWE are encrypted.
  • JWS and JWE, both, offer integrity to the token.
  • Attacker can decode the sensitive data in JWS token whereas in JWE the data cannot be decrypted.
  • Attacker cannot modify the data as the signature verification fails in both JWS and JWE.

Conclusion

This concludes the document on JWT, JWS and JWE tokens. JWT token is used to securely transmit user data and JWS is mainly used when you need to maintain the integrity and authenticity of claims data. JWS can be used in places where less sensitive data needs to be exchanged between client and server and the claims should not get tampered. JWE is used for transferring highly sensitive data between client and the server. As JWS is base 64 encoded, it can be converted into readable data and it is not advised to use JWS for exchanging highly sensitive data.

By,
Suja B
Senior Software Engineer, RapidValue

Please Share Your Thoughts & Comments Below.

How can we help you?