In this post on Understanding JSON Web Tokens, I will explain the concept of JWT. Basically, JWT or JSON Web Token is a way of securely transferring information between parties. The transfer of information takes place as JSON objects rather than plain text. Since this information is digitally signed, it can be verified also. Hence, the information can be trusted.
Client Request Authentication
Generally, when a client needs to access the webserver in order to retrieve a resource, it must first authenticate itself. Therefore, the client sends its credentials in the form of a username and password to the server for accessing a particular resource. The server, in turn, verifies the credentials from the database and then sends the response.
Further, if the client needs to access another secure resource the server again requires its credentials in order to authenticate the client. Therefore, with each request, the server authenticates the client through its credentials and it makes the client’s credentials vulnerable to attacks. In order to overcome this problem, token-based authentication such as JSON Web Token (JWT) can be used.
Token Based Authentication
In brief, the Token-Based Authentication works as follows. In order to authenticate, the client sends its credentials. The server validates the credentials and generates a token. In addition to sending the token back to the client, the server keeps it also. All subsequent requests from the client carry that token for authentication rather than its credentials. The server verifies the token received from the client with the one that it has stored and sends the response accordingly.
JSON Web Token (JWT)
The JSON Web Token is one of the several token-based mechanisms for authentication. In fact, JWT securely transfers the information. In order to do that, JWT tokens are signed using a secret key using the HMAC algorithm.
Issues with JWT
The first issue related to JWT is the expiry of tokens since a non-expiring token can become a security threat. Secondly, if the token is stored in the local storage of the browser, then also it becomes vulnerable.
Benefits of JSON Web Tokens
Since the use of JWT eliminates the need of sending client’s credentials with each request, it makes the authentication process more secure. Further, the creation of JWT is quite simple and easy. Moreover, the tokens thus created contain all information about the client. Therefore, there is no need to access the database again and again.
This article on Understanding JSON Web Tokens, explains the need of authenticating a client without transferring its credentials with each request. Hence, a token-based mechanism can offer a solution to this problem and JSON Web Tokens is one of the several ways of creating token-based authentication. Additionally, the issues related to JWT and their benefits are also discussed.