Image credits: Scott Webb on Unsplash
What is JSON?
.json extension. These files are used to transmit data objects that comprise the following:
- Attribute-value pairs
- Data types such as number, string, boolean, array, object, and null
Following is a sample JSON that describes a cat.
What is JWT?
According to the specification, JWT is a compact, URL-safe means of representing claims to be transferred between two entities.
Icon credits: https://www.flaticon.com/authors/freepik
JWT, in fact, is a valid JSON object that consists of a header, payload, and signature and would look like something similar to what’s shown in the image below.
Sample JWT structure
In the JWT, these components will be encoded and will be separated by a period (see below).
Let’s get to know more about these components.
The header of the JWT defines how the token’s signature should be generated and is usually composed of the following:
- Alg: This is the algorithm that is used to generate the signature of the JWT, which can either be HS256 or RS256
- Typ: This is the type of the token, which is JWT
The header of the JWT is encoded using the base64 encoding scheme (see below).
The payload consists of a set of claim names and claim values. Following are some commonly used claims:
- iss: This is the issuer of the token, for example the consumer key of your application
- sub: This is used by the issuer to uniquely identify the end-user, for example the consumer key of your application
- aud: This is the audience/recipients that the JWT is intended for
- exp: This is the epoch time of the token expiration date/time
- iat: This is the epoch time of the token issuance date/time
- jit: This is an incremental unique value that uniquely identifies the JWT
The payload of the JWT is also encoded using the base64 encoding scheme (see below).
The signature of the JWT is the hashed value of the encoded header and the encoded payload in the following structure.
Hashing can be done using either RS256 or HS256 algorithms.
RSA with SHA-256 (RS256) is an asymmetric algorithm that uses a public key and private key pair.
- Private key: This is used by the identity provider to generate the JWT signature
- Public key: This is used by the JWT consumer to validate the JWT signature
For more information on asymmetric encryption in WSO2 Identity Server, see the documentation on using asymmetric encryption.
HMAC with SHA-256 (HS256) is a symmetric algorithm that uses a single private key. This private key is shared between both the identity provider and JWT consumer. To learn how to perform symmetric encryption using WSO2 Identity Server, see the documentation on using symmetric encryption. Once hashed, the signature will be encrypted using the private key.
JWT format is used for ID tokens in token-based authentication. However, even though the JWT is encoded, it is not encrypted. Therefore, it is not recommended to transmit private information using JWT.
WSO2 Identity Server is a renowned IAM solution that implements JWT. Following are some content that you might be interested in checking out: