logoArk-am
HomeServicesPortfolioBlogsAbout Us
Contact Us

JSON Web Tokens (JWT)

December 8, 2023

Written by Andalib Kibria and Kamal Hossain

cover-image

Overview

Javascript Object Notation (JSON) or commonly known as JSON Web Token (JWT) is an unmodified token mechanism to verify the user with the server. This last sentence has a few concepts that need to be further broken down and also is the main reason as to why we chose it for our login authentication process on ShouldertoCryOn. We will also discuss the advantages and vulnerabilities in using JWTs later in this article.

Firstly, an unmodified token mechanism is a simple token-based authentication system where there is no need for additional modifications and complexities. A token-based authentication is when an application or system uses tokens to verify users. Instead of a username and password approach, an unique token is generated to serve as proof of the user’s identity. This is usually achieved via email or text message where a 4 to 6 digit alpha-numeric string of characters is sent to the user, after which the user can then input that generated code during the log-in portal for validation. This token then becomes signed by the server and grants access.

To further delve into what is an “unmodified” token, it is essentially a token that is not able to be modified by a third party or middleman. If this token is modified, then it becomes invalid, unable to be used and a new token needs to be created.

image-2

Structure of JWT

JWT consists of 3 parts; header, payload, and signature. There could be other sections in the token, but these are the mandatory or essential components.

Header:

The header typically contains two parts; the type and the signing algorithm. Below is an example of what is typically inside the code:

{
  “alg”: “HS256”,
  “typ”: “JWT”
}

Payload:

The payload mainly contains the claims, which carry objects about the user, such as the name, date-of-birth, or any other fields entered during the session. Below is an example:

{
  “name”: “John Doe”,
  “id”: 01234,
  "dob”: “23-07-21”
}

Signature:

The signature is created by taking the header, the payload, a secret key and the specific algorithm assigned to the header. This is a unique code used to verify the integrity of the token. See examples below:

{
  SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
}

or

{
  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiAiMTIzNDU2Nzg5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImlhdCI6IDE1MTYyMzkwMjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
}

Why do you need to understand the structure of JWT? Simply because a JWT allows you to verify the content that has not been tampered and it is also a good way to transmit information between two parties; almost like with the local mailing service where the letter or package has to be signed by the recipient with a valid ID.

Why is JWT better than a Session Creation?

There are many advantages to using a Javascript Object Notation Web Token, but the main benefits are as follows:

  • JWTs are stateless, therefore the server does not need to store the signed JSON token for the client. For session creations on the other hand, the server has to check each instance via its ID and must store this information.
  • The server can scale without any hesitation due to not needing to store the session information.
  • This further improves the performance of the server side because it does not have to constantly go through the validation process.
  • One server generated token can be used on other servers, which can be achieved using a secret key within the token’s signature. This is an arduous process through a Session and cannot be easily implemented.

image-3

Vulnerabilities in JWT

  1. None Attack: The JSON web token uses various algorithms like HS256, HS384. If the token does not use any algorithm, then it can be under attack.
  2. Leak of the Secret key: If anyone can get the key then they can sign a new JWT token of their own. So the server must be secure to store the secret key.
  3. Not giving any expiry token: Each token must have its expiry date. Otherwise it is not possible to limit a user to give only a certain period of access to some resource.

After reading this blog, you can understand why we chose this path for ShouldertoCryOn. Despite the vulnerabilities and despite the other authentication processes, our main priority was to keep the code lean and not waste time on building an application that will inevitably be revised and rewritten. Therefore, we ensure good practices, deploy professional standards, and use sound judgment whenever we are providing a service or producing a product. Javascript Object Notation Web Tokens will suffice for now.

Thank you.

image-4

Share this at