-
Notifications
You must be signed in to change notification settings - Fork 35
What is JWT token?
Json Web Token is just a JSON data encoded and signed with a private key. Since it is signed, it is impossible to tamper the data. In the presence of the private key, the data can be verified (for integrity and authenticity) across multiple servers.
A JSON data contains three parts:
Header.Body.Signature
Example:
Header contains, among other things, what algorithm is used to sign the token.
Body is just the Base64URL encoded JSON data. Body is also called Claims in JWT terminology. We will learn about Claims in a later section below.
Signature contains, depending on the selected algorithm (specified in Header section), the signature of the Body signed with a private key. The private key shall be kept secret.
Since the Session data is just a key-value pair, it can be stored as JSON payload in the JWT token.
Claims are fields in JSON data section of the token. The establish certain information the token like when it was issued, who issued it, whom it is intended for, etc.
Issuer Claim is stored as iss
in the JWT body. It establishes who issued the token in the first place.
Audience Claim is stored as aud
in the JWT body. It is a list. It identifies the intended recipients of the token. The issuer sets it when the token is issued.
When a client makes a request to the server with a token, the recipient server shall check whether it is listed in the audience field. If it is not listed, the request shall be rejected.
Subject Claim is stored as sub
in the JWT body. It identifies the client for which the token is issued.
For example, it identifies the logged-in user, when the token is used for user authorization.
Expiry Claim is stored as exp
in the JWT body. It specifies the seconds since epoch at which the token shall expire.
Issued at Claim is stored as iat
in the JWT body. It specifies the seconds since epoch at which the token was issued.
In the next article, we will explore how to use store sessions on JWT.
Basics
- Route handler
- Path matching
- Path parameters
- Query parameters
- Serving static files
- Cookies
- Controller
- Parameter binding
- Hot reload
Serialization
Forms
Sessions
Authentication
- Basic authentication
- Form authentication
- JSON authentication
- Authorization
- OAuth
- MongoDb
- PostgreSQL
- MySQL
- Establish connection
- ORM
- Server sent events (SSE)
- Websockets
- systemd
- Docker
- AppEngine