Audio Cast:

Takeaway Points:

• JWT stands for JSON (JavaScript Object Notion) Web Token - pronounced “jot”

• A JSON encoded structure used for handling identity claims between two parties

• The idea was to create a standard and compact way of transferring information between two parties

• The JSON object (known as a Claims Set) is then typically signed (or sometimes encrypted)

• This signing process provides some origin authentication as well as tamper resistance - as changes to the JSON are identified by the signature in turn not matching

• The JWT has three parts - a header, body and signature

• The JWT header provides information about the signing algorithm - whether that uses a shared secret for example or asymmetric

• The body (Claims Set) contains the attribute value pairs relating to identity data

• The footer contains the signature

• Each part is what is known as Base64URL encoded - this makes it easier to transport - and creates a string of characters that start with “ey..”

• These three chunks are joined together via a “.” dot.

• The final result will be something like look like:

eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk

• Some common claims include:

  • iss (issuer)

  • sub (subject)

  • aud (audience)

  • exp (expiration)

  • iat (issued at)

  • nbf (not before)

Useful Links

• JWT.io debugger and viewing tool

• IETF RFC 7519