I am sure you must have googled JSON web tokens (JWT) and skimmed through numerous articles before coming to our space. With the information available online, you would have a perception that JWT is a key element of modern authentication and authorization frameworks like OAuth and OpenID. Though JWT is used in OAuth and OpenID, it is not a part of these frame works. Secondly, its applications exceed authorization and authentication workflows. In this feature, we are going to give you a brief yet well-rounded overview of JWT and its features.
What is JWT?
A JSON web token(JWT) is a JSON object primarily used for secure data transfer over the web. It is ideally suited for information exchange and also an authentication system. The JWT token mainly comprises a header, payload and a signature. All three parts are separated by dots (.). JWT identifies the architecture of information we are transferring between two parties and it comes in two types – Serialized and Deserialized.
A serialized method is principally used to exchange data through a network with each request and response. Whereas, the deserialized method is used to read/write data to the web token. A JWT in the deserialized type contains a header and payload only and both are plain JSON objects.
Why should you be using JWTs?
JSON web token(JWT) is a fabulous technology for API authentication and server to server authorization. However, it may not be good for sessions. For better understanding, it is important to compare JWT with Simple Web Tokens (SWT) and Security Assertion Markup Language Tokens (SAML).
JSON is less tedious than XML and hence its size is smaller and makes JWT compact than SAML. Hence, JWT is a better choice to be passed in HTML and HTTP environments.
In terms of Security, Single Web Token(SWT) can only be signed by a common secret using the HMAC algorithm. Moreover, JWT and SAML tokens can use a public/private key pair for signing. Signing XML with XML digital signature with security gaps is extremely difficult compared to the ease of signing using JSON.
JSON parsers is a familiar concept in most programming languages as they map directly to objects. Alternatively, XML doesn’t have a natural document-to-object mapping which makes it easier to work with JWT over SAML assertions.
When we talk about usage, JWT is used mostly at the Internet scale. This emphasizes the ease of client-side processing of the JSON web token on various platforms, particularly mobile.
How should you use JWT?
In this section, let us discuss the cases in which JWTs can be your best bet. When you are building API services which require a server-to-server or client-to-server (imagine a mobile app or single page app (SPA)) communication, JWTs can be used as your API tokens.
By doing that :
- You will get an authentication API which a client authenticates against to get a JWT in return.
- Clients will use this JWT to send authenticated requests to other API services.
- The rest API services use the client’s JWT to validate and verify the client and can perform a task without having to perform a network validation.
It is advisable to use JWTs when using these types of API services as clients would make frequent requests with a limited scope and authentication data can be persisted without creating a dependency on user data.
When you are building a service where there will be three or more parties, JWTs can come handy. In this peculiar case, the requesting party will get a token to verify their identity and can pass it forward without requiring a real-time validation at each stage.
JWTs enable cryptographic signing and hence make a remarkable addition to federated user protocols. The concept is that when you are using federation (an example – Sign-on and OpenID Connect), JWTs will be important since you require a way to validate a user’s identity through a third party.
While building your next website, you can simply rely on your web framework’s default authentication tools and libraries and stop trying to facilitate JWTs unreasonably. However, if your goal is web security and everything else in the authentication spectrum, you are better off to partner with Nimblechapps. Do let us know if you would like to read more content on network security.