Austin's SWE Notes 😭

    JWT

    JSON Web Tokens - jwt.io

    Usually used as Access Token for both Authentication and Authorisation.

    Components

    Have 3 parts separated by .

    An example of a JWT token:

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

    Header part

    The first part eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 is Base64 encoded, contains a few headers like the hashing algorithm and the type of it:

    {"alg":"HS256","typ":"JWT"}

    Body part

    The second part is eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ which is also Base64 encrypted:

    { 
	"sub": "1234567890",
	"name": "John Doe", 
	"iat": 1516239022 
}

    Mandatory fields

    • sub: is the user id
    • iat: issued time stamp

    We can use iat to determine the expired timestamp.

    Signature part

    The third part is SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c which is the HS256 (declared in the first part) — which is the hash of the first 2 parts to make sure that the values were not modified.

    HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  <256-secret>
)

    We normally use this with a custom secretKey and we can verify this hash on the serverside to see if it's authentic hash.

    ← Javascript Cache
    LIFO →