Skip to main content

JWT Authentication

One of the important concepts in web security is JWT (pronounced "jot"). As an API developer, test engineer or integration specialist, if you haven't heard about JWT, you are missing the most required knowledge. JWT is a proven mechanism for secure communication, authentication and authorization. In this article, we'll delve deep into JWT Tokens, unraveling their workings, benefits, and best practices to adopt.

What JWT Authentication?

By definition, JSON Web Token (JWT) is a URL-safe and compact means of representing claims to be transferred between two systems. This is an authentication method between two systems. The information transmitted can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

A JWT typically looks like the following.

[header].[payload].[signature]

Here, all the three components are Based64 encoded. Let's break down these below.

  • Header: This section identifies the token type (JWT) and the signing algorithm. If you decode this component, you will get {"alg":"HS256","typ":"JWT"}.
  • Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. In the above example, the decoded value of the middle component is {"id":123456789,"name":"Joseph"} and it represents the claim.
  • Signature: This is a claim, prevent tampering. It is built as a signature of header and payload. This component is a binary value when decoded.

Take an example of JWT token in use with HTTP request, how it is being sent in Authorization header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MTIzNDU2Nzg5LCJuYW1lIjoiSm9zZXBoIn0.OpOSSw7e485LOP5PrzScxHb7SR6sAOMRckfFwi4rp7o

How JWT Tokens Work

The process begins with the server generating a token that encapsulates the user’s identity and granting permissions. When a user logs in, the server creates a JWT and sends it back. This token must be included in the header of any future requests, allowing the server to verify the user's identity without needing to access a database.

Benefits of Using JWT Tokens

The JSON serialization is crisp compared to XML. When it is encoded it takes smaller size as well. This makes JSON a great choise for JWT making it compact than SAML.

  • Statelessness: JWTs are self-contained, carrying all necessary information about the user. This makes the application scalable as it doesn’t require a session store.
  • Security: The information is digitally signed, ensuring the data has not been altered. It can be easily verified by the receiver.
  • Cross-Platform: JWTs are encoded & binary safe. They can be used in any part of an application, whether it be a mobile app, a web app, or even IoT devices.

Implementing JWT Tokens

To implement JWT in your application, you'll need a library that supports JWT creation and verification. Here are some popular JWT libraries for various programming languages:

LanguageLibrary Name & Link
JavaJJWT
Node.jsauth0/jsonwebtoken
JavaScriptauth0/jwt-decode
PHPfirebase/php-jwt
PythonPyJWT
Rubyjwt
Gogolang-jwt/jwt
C#jwt-dotnet
Swiftauth0/JWTDecode
RustKeats/jsonwebtoken

Here's a simplified process and data flow:

  1. Install a JWT library compatible with your tech stack.
  2. Upon user login, generate a JWT token and send it back to the client.
  3. In subsequent requests, the client includes this token in the header.
  4. The server verifies the token and allows access to protected resources.

JWT Best Practices

An poor implementation can render a secure framework vulnerable to attacks. Therefore, following the best practices when implementing JSON Web Tokens in your application is important. Here are some guidelines:

  • Keep the payload minimal to reduce the size of the token.
  • Have shorter token validity to mitigate the risk of stolen tokens.
  • Store the token in HTTP-only and secure HTTP Cookies to protect your application against XSS and CSRF attacks.

Algorithm Selection and Validation

The fundamental to the security of JWTs the signing algorithm. Algorithms such as RS256 (RSA Signature with SHA-256) or ES256 (ECDSA with SHA-256) are recommended due to their strength and reliability. The algorithms like HS256 (HMAC with SHA-256) is considered weaker when not used with strong keys.

Secure Storage of Tokens

Storing tokens in browser storage mechanisms such as localStorage or sessionStorage can expose them to cross-site scripting (XSS) attacks, as JavaScript running on the page can access these storage locations. The recommended and secure practice is to store tokens in HTTP-only Secure cookies, which are inaccessible to JavaScript and thus mitigate the risk of XSS attacks.

Token Revocation Strategies

JWTs are inherently stateless, which poses challenges for token revocation. The token remains valid until its expiration time. and there is no straightforward way to invalidate it immediately if necessary. To address this, refer to the next section Handling Logout appropriate solution

Audience and Issuer Validation

Validating the aud (audience) and iss (issuer) claims within a JWT ensures that the token was issued by a trusted source and is intended for your application. Always verify that these claims match the expected values corresponding to your application and trusted issuers.

Don't Add Sensitive Data in Payload

The payload in JWT is Base64 encoded, but not encrypted. This means that anyone with access to the token can decode and read its contents. Therefore, avoid including sensitive information, such as personal identifiable information (PII) or confidential data, within the token payload.

Handling Logout

A secure logout is a must for any web application. Achieving this with JWT tokens is a challenging task due to their stateless nature. This is the only complexity they bring when you adopt JWTs. Since JWT tokens are self-contained and carry all the necessary information within themselves, revoking a token once it has been issued is not straightforward. Here are a couple of approaches that can be employed to handle logout effectively:

Server-side Token Blacklisting

One approach to invalidating JWT tokens upon logout is to maintain a server-side blacklist of revoked tokens. When a user logs out, the server adds the token to the blacklist, and subsequent requests with that token are rejected. This method ensures that even if a token is unexpectedly compromised, it can be quickly invalidated on the server-side.

To implement this approach:

  1. Set up a database or cache to store the blacklisted tokens and their expiration times.
  2. When a user logs out, retrieve the token from the request and add it to the blacklist along with the current timestamp and the token's original expiration time.
  3. Before processing any request, check if the token is present in the blacklist. If it is, reject the request.
  4. Periodically clean up the blacklist by removing expired tokens to save storage space and improve performance.
  5. While effective, this method requires additional server-side resources and complexity to maintain the blacklist.

Client-side Token Expiration

Another approach is to enforce token expiration on the client-side by setting a short expiration time for the JWT tokens. When a user logs out, the client can simply discard the token, and subsequent requests will fail due to the token's expiration.

To implement this approach:

  1. Set a short expiration time for the JWT tokens, such as a few minutes or hours, depending on your application's requirements.
  2. When a user logs out, discard the token on the client-side (e.g., remove it from local storage or cookies).
  3. When an expired token is used in an HTTP request, the server will reject it, and the client can handle this rejection by forcing the user to login in again.
  4. This method is simpler to implement and doesn't require additional server-side resources, but it relies on the client to properly handle token expiration and logout scenarios.

JWT Tokens are a powerful tool in the arsenal of web security, offering both flexibility and robust protection. By understanding and implementing JWT according to the best practices outlined, you can significantly enhance the security and user experience of your applications.