JSON Web Token (JWT)

What is a JSON Web Token (JWT)?

A JSON Web Token, or JWT for short, is a standardized access token that enables the secure exchange of data in the form of JSON objects between two parties. Because it contains all the essential information about an entity, no database query is required, and the session does not need to be stored on the server. Verified by a digital signature, JWTs are frequently used for authentication and authorization, such as enabling Single Sign-On (SSO) processes or securing APIs. Their compact structure, combined with cryptographic validation, provides a robust option for securing communication between parties.

JSON Web Tokens are defined and standardized in the RFC 7519 specification. RFC stands for “Request for Comments,” which describes a series of numbered documents that define internet standards, protocols, and concepts. These serve as the basis for communication between different devices on the internet.

JSON Web Tokens consist of the JSON text format and digital credentials in the form of tokens.

JSON

JSON stands for “JavaScript Object Notation”, an open and language-independent text format used to store and transmit data. Its ease of use makes it ideal for web applications and APIs, as it is easy for humans to understand and easy for machines to generate or parse.

Token

Tokens are digital credentials that have become indispensable in modern authentication systems. They store a user’s identity and authorization in a compact and secure form, ensuring that only authorized users can access protected resources.

Structure of JSON Web Token

A signed JSON Web Token is a simple string consisting of three parts separated by periods and encoded in Base64. Users don’t typically see the JSON Web Token string itself. However, they interact with it when using a website or application that uses JWTs in the background. The three parts of a JSON Web Token are the header, payload, and signature.

Header

The header, which usually consists of two parts, provides important information about the token. It describes the token type and the signature and/or encryption method used.

Payload

The payload contains the actual user information to be transmitted to the application. This could include, for example, user ID, name, or expiration time. Provided as key/value pairs, this information is also referred to as “claims”, with a distinction made between private, public, and registered claims. Payloads can contain any number of claims. However, the larger the JSON Web Token (JWT) becomes, the more resources are required for encoding and decoding. A JWT is typically transmitted in the headers of HTTP requests. Therefore, the larger the token, the larger the actual request. It is thus recommended to limit the information contained in the JWT to the bare minimum.

Signature

The final step is the signature. This is created by combining the encoded header, the encoded payload, a secret key, and the signature or encryption method specified in the header. Thes signing ensures that the message is not altered in transit and that the sender of the JSON Web Token is indeed who they claim to be.

There are different methods, depending on the sensitivity of the data.

1. No Security: With a low security level, a signature can be omitted. In this case, the JWT consists only of a header and payload and is readable in plaintext after Base64 decryption. Whether the message originates from the correct sender or has been altered in transit cannot be verified. This method is almost never used. Without a signature, a JWT offers no added security and can be functionally replaced by other, simpler data formats.

2. Signature (JWS): The JSON Web Signature (JWS) scheme is used to ensure that a message originates from the correct sender and has not been altered in transit. This verification is sufficient for most scenarios. Even with this method, the payload can be read in plaintext after Base64 decryption. Signature (JWS) is considered a standard procedure and is used by almost all systems.

3. Signature (JWS) and Encryption (JWE): In addition to JSON Web Signature (JWS), JSON Web Encryption (JWE) can be used. In this case, JWE encrypts the payload contents, which are then signed with JWS. The contents are decrypted by providing a shared password or a private key. After Base64 decryption, the payload is not readable in plaintext, the sender is verified, and it is secured that the message is authentic and confidential. This method is a niche approach and is rarely used because application support is very limited. In practice, it is usually sufficient to use the signature method (JWS, see section 2) in combination with secure and protected connections and to limit the information contained in the payload to the necessary minimum.

Each of the methods mentioned should additionally use SSL (Secure Sockets Layer) to establish an encrypted connection between client (e.g. a web browser) and server to protect the data during communication.

How a JSON Web Token Works

The functionality of a JSON Web Token can be easily explained using a user login as an example:

When a user logs in with their e-mail address and password, the server creates a JSON Web Token (JWT). This token is encoded with the relevant information and signed with a secret key (secret) or a private key (in the case of an asymmetric signature) to prevent misuse. After the JWT is created, it is sent to the client and stored locally.

With each subsequent request to the server, the client sends the JWT, for example, as a parameter in the GET request. The server decrypts the JWT, verifies the authenticity of the token, and checks information such as the issuer, target audience, and validity period. After successful verification, the client gains access to the requested resource.

Additional security is provided by an expiration time that JWTs typically have. During validation, the server checks the token’s validity period and rejects processing if it has expired. In this case, the client is prompted to update the token.

Advantages of Using JSON Web Tokens

JSON Web Tokens are very useful for applications that exchange information between different systems. They enable the secure exchange of sensitive data, are extremely flexible, scalable, and lightweight. This makes them easy to use with mobile applications.

Further advantages include:

• Security: JSON Web Tokens are signed with a shared secret or asymmetrically with a public/private key pair. This ensures that the data is not manipulated during transmission. Furthermore, the validity of a JWT can be limited by an expiration date.

• Authentication: All necessary information is encoded in the token, eliminating the need for server-side databases and database queries during user authentication. This improves performance and results in faster response times.

• Data integrity: If an attempt is made to misuse a token, the signature is invalidated. JWTs thus ensure that the data has not been manipulated and that the sender is always the correct one.

• Flexibility: JWTs are compatible with multiple programming languages and can be integrated into various platforms. This enables easy integration into diverse environments and technology stacks.

• Stateless: User information is stored directly in the JWT, so the server itself does not need to store any session state. Therefore, JWTs are perfectly suited for scalable systems.

Disadvantages of Using JSON Web Tokens

Where there is light, there is also shadow. And while JWTs offer many advantages, we also want to mention some drawbacks of using JSON Web Tokens.

• The biggest disadvantage of JWTs is their irrevocability. Once signed, a JSON Web Token cannot be revoked or updated, even if user permissions change. It is considered valid for as long as the signature is valid and has not expired. Therefore, the validity period of the JWT should be chosen carefully. A value of 15 minutes has become established as a standard compromise.

• Another disadvantage is their size. JSON Web Tokens contain data (claims), a signature, and often a request, making them larger than traditional session tokens and thus increasing bandwidth consumption. Furthermore, JWTs are almost always transmitted in the headers of HTTP requests, for good reason. However, these headers usually have a technical length limit that can be quickly reached with an excessively large JWT. This can lead to HTTP requests being rejected by the server before they are even processed. The length limit is often used to prevent hackers or to make DDoS attacks more difficult. Therefore, a JSON Web Token should only contain the most essential information to keep traffic to a minimum.

• Finally, let’s address data privacy. The user data, or payload, of a JWT is Base64-encoded and not encrypted. While the data is converted into a text format that is difficult for humans to read, this process can be easily reversed. Anyone who intercepts a token can read the information it contains (e.g., the user ID). Therefore, the correct combination of a signature, a short validity period, and refresh tokens is crucial to prevent data disclosure and unauthorized access.

Use Cases for JSON Web Tokens

Due to their enhanced security and flexibility, JSON Web Tokens (JWTs) are the ideal choice for various authentication methods. They are primarily used for stateless authentication, authorization, and session management in modern applications. JWTs enable both server-side and client-side applications to securely authenticate users and exchange critical information without requiring a database query for every request. Below are some of the most common use cases for JSON Web Tokens:

• Single Sign-On (SSO) systems: Users log in once and can then access different connected applications without re-authentication.

• Microservice architecture: By directly passing authentication information, JSON Web Tokens facilitate secure communication across multiple services.

• API security: JWTs are used to ensure secure API authorization and to guarantee that only authorized requests are processed.

• Mobile applications: JWTs are easy to use and lightweight, making them ideal for secure authentication of API requests on iOS and Android devices.

• Cross-Origin Resource Sharing (CORS): Since JSON Web Tokens do not rely on cookies, they simplify authentication across different domains.

• One-time access: JWTs have an integrated expiration mechanism, making them perfect for temporary links such as e-mail verifications or password resets.

Conclusion

A JSON Web Token (JWT) is a powerful tool and therefore ideal for authentication and data exchange. Servers don’t need to store session state, as JWTs contain all the necessary information. They are flexible, scalable, compact, and easily transferable.

However, JWTs are not encrypted by default. Sensitive data must therefore be additionally encrypted using JSON Web Encryption (JWE). The validity period should also be carefully chosen, with shorter periods being recommended.

Thus, and despite some limitations, JSON Web Tokens, together with OpenID Connect (OIDC) and OAuth 2.0, form a solid, modern foundation for secure authentication and authorization.