JSON Web Tokens

TL; DR

JWT provides a compact, URL-safe means of representing claims to be transferred between parties.

contributes to Authentication Methods

JWT is fundamental to OAuth 2.0 Authorisation Framework and OpenID Connect implementations, providing the token format for secure authentication and authorization.

JWT Structure

Three Parts (Base64URL encoded)

1. Header - Token type and signing algorithm
2. Payload - Claims and user information
3. Signature - Cryptographic verification

Format: header.payload.signature

Header Component

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "key-identifier"
}

Common algorithms

• RS256 - RSA with SHA-256 (asymmetric)
• HS256 - HMAC with SHA-256 (symmetric)
• ES256 - ECDSA with SHA-256 (elliptic curve)

Payload Claims

Standard Claims (RFC 7519)

• iss (issuer) - Token issuer
• sub (subject) - Token subject (user ID)
• aud (audience) - Token recipient
• exp (expiration) - Expiration time
• iat (issued at) - Issue time
• nbf (not before) - Token valid from
• jti (JWT ID) - Unique token identifier

Custom Claims

Application-specific information

• User roles and permissions
• Profile information
• Application context
• Session details

Token Types

1. Access Tokens

• Short-lived (15-60 minutes)
• Resource access - API authorization
• Stateless - Self-contained authorization
• Revocation challenges - Difficult to invalidate

2. ID Tokens (OIDC)

• Identity verification - User authentication proof
• Signed claims - Cryptographically verified user info
• Client consumption - Application identity information
• Non-repudiation - Proof of identity provider attestation

3. Refresh Tokens

• Long-lived (days to months)
• Token renewal - Obtaining new access tokens
• Secure storage - More sensitive than access tokens
• Revocation support - Can be invalidated

Security Consideration

Token Validation

1. Signature verification - Cryptographic integrity
2. Claims validation - iss, aud, exp, nbf
3. Algorithm verification - Prevent algorithm confusion
4. Key validation - Trusted signing keys

Common Vulnerabilities

• Algorithm confusion - None algorithm attacks
• Weak secrets - Brute force attacks on HMAC
• Token storage - XSS and local storage risks
• Replay attacks - Token interception and reuse

Best Practices

1. Token Design

• Minimal payload - Reduce token size
• Appropriate expiration - Balance security and usability
• Audience specificity - Limit token scope
• Sensitive data exclusion - Avoid PII in tokens

2. Implementation

• HTTPS only - Encrypted token transmission
• Secure storage - HttpOnly cookies or secure storage
• Token rotation - Regular refresh token updates
• Comprehensive logging - Token usage monitoring

3. Storage Options

1. Browser Applications

• HttpOnly Cookies - XSS protection (recommended)
• Local Storage - Vulnerable to XSS
• Session Storage - Temporary storage
• Memory only - Most secure, short-lived

2. Mobile Applications

• Secure enclave - Hardware-backed storage
• Keychain services - iOS/Android secure storage
• Encrypted storage - Application-level encryption