Cognizance JWT Authentication
Updated: Aug 27, 2021
JWT Is JSON Web Tokens. An Encoded Representation Of A Claim Or A Group Of Claims That Can Be Transferred Between Two Parties.
Even though it is a popular and accepted technology, when it comes to JWT authentication it comes along with a lot of controversy. Some say it’s complicated. And some say it’s useful and gives amazing outputs. We can’t precisely say which one is correct. The truth lies somewhere in between these two.
Before digging it in detail and deep, let’s say what exactly is JWT authentication.
What Is JWT
A JWT is an open standard that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is an encoded URL safe string that can contain an unlimited amount of data which is written encrypted.
when a server receives a JWT, it can identify and guarantee the data it contains can be trusted because it is signed by the source. Once after sending the JWT data no interceder can change or modify it.
When To Use JWT Authentication
There are many ways to allow a service to be used securely. JWT is one among them. Of course there are limitations to the security JSON web tokens provide.
The Structure Of JSON Web Token
In its compact form the JSON Web token has three parts.
All these are separated by dots(.) So a JWT looks like the following;
Let’s have a detailed look into these 3 parts.
The header usually consists of 2 parts. The type of token that is JWT and the signing algorithm being used, such as HMAC SHA256 or RSA
The next part of the Token is Payload. It contains the claim. Claims are actually the statements about an entity (the user) and additional data. There are three types of claims, Registered, Public and Private claims. All claims within the JWT authentication are stored in this part.
These are a set of pre-defined claims which are not mandatory but recommended, to provide a set of useful coherent claims. Some are: iss (issuer), exp (expiration time), sub (subject), aud (audience)
These can be defined at will by those using JWTs. But to avoid collisions they should be defined in the IANA JSON Web Token Registry or be defined as a URI that contains a collision resistant namespace
These are the custom claims created to share information between parties that agree on using them and are neither registered or public claims.
The Signature is derived from Header and Payload fields. To create the Signature part, you required the encoded header and encoded Payload, a secret, the algorithm specified in the header, and sign that.
HMACSHA256(Base64Ur1Encode(header) + ”.” +Base64Ur1Encode(Payload),Secret)
Compared to the other Web tokens, JWT is much simpler and easier, as it is based on JSON which is easier to understand than XML. While considering the security JWT uses a public and private key pair for better authentication experience. Talking from a user point of view JWT is easier to process on the user device, no matter if it is on laptop or mobile. Apart from the Authentication part JSON Web tokens are secure to transmit data between multiple users.