JWT - What is it
JWT tokens also known as JSON Web Token (JWT) are widely used as a means of representing the set of claims for a caller that are issued by the identity provider after authentication and authorization.
JWT Token has three parts, separated by dot, and is encoded in Base64.
Below is the structure of a JWT Token,
1. JWT Header (Base64 encoded json string and it contains information about the signature algorithm used in the JWT token and type of JWT token)
2. JWT Body (Base64 encoded json string, usually contains set of claims/permissions the JWT token bearer have, provided by the authentication server)
3. JWT Signature (The signature part of the JWT token which is calculated using the algorithm mentioned in the header)
Decoded JWT token provides a human readable information in json format. JWT tokens are decoded in server side for retrieving the claim details inside the JWT Token
Sample Decoded JWT Token Header
"description": "Sample JWT Token"
Sample Decoded JWT Token Body
"name": "Will Smith",
The biggest advantage of JWT is that they enable the delegation of the authentication logic to a third-party server.
In an enterprise, there can be a dedicated Authentication Server, which sole purpose is to authenticate the end users either with UserName/Password or Social Login or Federated Login with external identity providers. On successful authentication, the authn server can return a signed JWT Token which contains the authenticity of the user along with other optional attributes like
expiry time, issued by etc.
End users will be sending the JWT token got in the above step, to the Application Server in every request made. Application server first validate the JWT token by verifying the signature and expiry time tagged with the jwt token. On succesful validation, Application Server process the request and return the response.
JWTs are not alternative solution for session management. Its the responsibility of a server to create a session to store specific user interaction details (like order id in case of ecommerce application), after validating JWT.
JWT comes in handy when a client needs to interact with multiple isolated applications (e.g : Microservices), without the need to authenticate everytime. The client can first communicate with the Authentication Server (by providing the valid credentials) and get the JWT token which is trused by other microservices/applications in the enterprise. The JWT token can be used in the further communication with the applications, as a authentication jwt token.
In this way, the individual applications/microservices can focus on their core functionalities, rather than on how to authenticate the clients.
The credentials are not shared with the individual applications in every request, hence its more secure. APIs use this jwt token as a consumer and validate the claims passed. On successful validation of the claims, the access is granted to the caller to invoke the api. The JWT tokens are secure in the sense, it doesnt contain any of the credentials and has timestamp on it , crossing which the jwt token become obsolete.