JSON web token is one of the most commonly used type of authentication tokens.
- It consists of three components
Header, Payload, signature
- All this 3 are separated by '.'
Header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- This is base64url-encoded string
Header
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
- is a header consists of algorithm used to generate the signature.
{
"alg": "HS256",
"typ": "JWT"
}
Payload
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
- This contains the user meta data
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
- It helps to validate the token that no one is tampered with it
Token's signatures need to be verified at server end compulsory.
Token need to restricted with 'alg' field in backend with some algorithm it should not left to 'none'
HMAC and RSA
- HMAC requires the token to be signed with a key and then later verified with the same key(secret key)
- RSA token first creates with private key and it is verified with public key later
Thanks for reading
Read my article about token based authentication
Top comments (0)