JWTs in Plainish English
18th May 2019
A JWT is a flashy succinct way of authorisation and authentication. It can be used by applications as a way for users to provide session information, including details such as access levels. JWTs can be signed and encrypted to secure against tampering and falsification.
The main cool thing about JWT is that in addition to using the tokens to authenticate users, the tokens can include extra information such as permitted roles or areas of access. A JWT can be signed (so that modified claims can be identified and ignored) and encrypted (so that claims cannot be viewed).
The main annoying thing about JWT is that it is pronounced jot.
Anatomy
Header
Specifies the type of the token (so... JWT) and the level of encryption.
| None | No encryption. |
|---|---|
| HS256 | HMAC with SHA-256. |
| HS384 | HMAC with SHA-384. |
| HS512 | HMAC with SHA-512. |
| RS256 | RSA with SHA-256. |
| RS384 | RSA with SHA-384. |
| RS512 | RSA with SHA-512. |
| ES256 | ECDSA faster and shorter than RSA, with SHA-256. |
| ES384 | ESDSA faster and shorter than RSA, with SHA-384. |
| ES512 | ECDSA faster and shorter than RSA, with SHA-512. |
| PS256 | RSASSA-PSS (RSA padded with random bits) with SHA-256 |
| PS384 | RSASSA-PSS (RSA padded with random bits) with SHA-384 |
Payload
Specifies the "claims" of the JWT, which by default can include:
| iss | Issuer | The issuing principal. | Optional |
|---|---|---|---|
| sub | Subject | The subject of the JWT. | Optional |
| aud | Audience | The intended recipients. | Optional |
| exp | Expiration | When the JWT should no longer be accepted. | Optional |
| nbf | Not Before | When the JWT should begin being accepted. | Optional |
| iat | Issued At | Numeric date of issuance | Optional |
| jti | JWT ID | The UID for the JWT | Optional |
JWT claims can be extended to meet the needs of an app. These claims can be customized and should always be inspected for goodies.
Signature
The signature is declared within the header, and can also be encrypted.
JWTs can be spotted in the wild, as the resultant mass is base64 encoded and is not really inconspicuous. As they are used for authentication, if you see a massive cookie with two "."s beginning with "eyj", it's worth running it through JWT.io or a BurpSuite extension to see what you've been granted.
Security Concerns
As far as I know (and I don't), there is nothing inherently bad with the JWT standard. The main three issues potentially affecting the security of your JWT secured app are: