DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. JWT: Using the Header and JWS Parameters

JWT: Using the Header and JWS Parameters

Explore the basic components of JWT — headers and JWS parameters.

Marudhamaran Gunasekaran user avatar by
Marudhamaran Gunasekaran
·
Nov. 16, 18 · Tutorial
Like (5)
Save
Tweet
Share
10.57K Views

Join the DZone community and get the full member experience.

Join For Free

This post aims to provide a quick overview of the JWT claims and meta information because they are often presented in short, three-letter instances to keep them compact. 

Oversimplified JWT Definition

JWT has three basic components: [MetaInformation].[Claims].[Signature]

Sample JWT in the Image Below

Sample JWT

1. Base64 – The metadata (also known as the header or manifest) includes how the token is structured, signed, and so on.
2. Base64 – Claims provide the actual meaning of the token.
3. Base64 – Signature provides authenticity and integrity.

https://tools.ietf.org/html/rfc7519#section-10.1.2 describes the registered claims for JWT. An identity provider has the flexibility to add claims that are specific for the intended situations.

Exploring the JWT Header

Let’s look at the following JWT sample (base64 decoded) that has the below header information. We will explore the data section subsequently.
Image titleRFC reference – https://tools.ietf.org/html/rfc7515#section-4.1 (JSON Web Signature)

typ

In the above example, typ indicates the token type of JWT.

alg

 alg indicates the type of algorithm used to sign the JWT token. The most commonly used values are RS256 and HS256, which stands for RSA-SHA256 (asymmetric) and HMAC-SHA256 (symmetric), respectively. RS256 alg  belongs to the RSA kty  (read the kty section below)

x5t

x5t is the X509 certificate’s thumbprint. That is the certificate whose private key was used to sign the JWT.

kid

The kid id the key id indicating which key was used to sign the JWT token. This field is particularly useful when the public key discovery endpoint supports many keys and we need to know which key was used to sign.

In order to verify the signature of the JWT token, the verifier needs to know the public key of the public /private key pair used to sign the JTW token. Most identity providers expose this information via discovery mechanisms, such as the one below from Microsoft Azure.
Image titleBased on the above example:

kty

If the key type is part of the algorithm family used to sign the JW, RSA and ECare some allowed via kty. RS256 and RS512 are some algorithms (alg) that belong to the RSA algorithm family (kty)

Use

  • Use the above information — whether the algorithm is used for enc encryption or sig signing.

  • X5t and kid are explained above

  • n is a public key component of the RSA.

  • e is a public key component of the RSA.

  • x5c is the x509 certificate chain. 

  • Note: If the algorithm kty is EC (elliptic Curve), then the public components are x and y.

The next blog post will reference information from a sample JWT token in Azure AD. Stay tuned!

Credits and References

- https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
- https://tools.ietf.org/html/rfc7519
- https://redthunder.blog/2017/06/08/jwts-jwks-kids-x5ts-oh-my/
- https://tools.ietf.org/html/rfc7518
- https://tools.ietf.org/html/rfc7515

JWT (JSON Web Token)

Published at DZone with permission of Marudhamaran Gunasekaran. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Spring Cloud: How To Deal With Microservice Configuration (Part 1)
  • Why Every Fintech Company Needs DevOps
  • Key Considerations When Implementing Virtual Kubernetes Clusters
  • PostgreSQL: Bulk Loading Data With Node.js and Sequelize

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: