JWT - Technological watch

Introduction

In the realm of modern web authentication, security and efficiency are of paramount importance. Traditionally, web applications have relied on session tokens to manage user authentication. However, as applications grow more complex and distributed, this approach has revealed some limitations. Enter JSON Web Tokens (JWT), a powerful and versatile solution that addresses these challenges. In this blog post, we will explore the drawbacks of session tokens, the advantages of JWTs, their composition, and the pros and cons of using JWTs over traditional session tokens.

Logging in Without JWT: The Session Token Approach

In the traditional session token approach, when a user logs in, the server generates a unique session identifier, which is stored either in-memory or on a database. This identifier is then sent to the client, usually as a cookie. On subsequent requests, the client sends this token back to the server, allowing the server to validate the user’s session.

The Problem with Session Tokens: Over-reliance on Database Queries

While session tokens work reasonably well for simple applications, they pose challenges in more complex scenarios. One significant issue is the reliance on database queries to validate the token. For every request, the server must look up the session token in the database to check its validity and retrieve relevant user information. As traffic grows, the database can become a bottleneck, leading to performance issues and scalability challenges.

The Magic of JWT: Composition and Verification

JSON Web Tokens (JWTs) offer a revolutionary alternative to traditional session tokens. JWTs are composed of three parts: the header, the payload, and the signature. The header specifies the token type (JWT) and the signing algorithm used, such as HMAC-SHA256 or RSA-SHA256. The payload contains claims or user information, such as user ID, roles, and expiration time. Lastly, the signature is created by combining the encoded header, encoded payload, and a secret key known only to the server.

You can play with JWT with this website : https://jwt.io/.

Example of a JWT Token

A JWT Token can look like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsZXgiLCJwZXJtaXNzaW9ucyI6WyJkZXZlbG9wZXIiXSwiaWF0IjoxMjM0NTY3ODkwfQ.Kr-Afzzs-u8cbrmSixS__6O85AeQeflMWJPC6rUyEDU

We can split this token in 3 parts (separated by a ”.”).

First part : The Header

The first part of a JWT can look like this :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

// Base 64 decoded
{
  "alg": "HS256",
  "typ": "JWT"
}

This part gives information on the JWT.

Second part : The content

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsZXgiLCJwZXJtaXNzaW9ucyI6WyJkZXZlbG9wZXIiXSwiaWF0IjoxMjM0NTY3ODkwfQ

// Base 64 decoded
{
  "sub": "1234567890",
  "name": "Alex",
  "permissions": ["developer"],
  "iat": 1234567890
}

Note: Some key words are taken

• iss: Token creator (issuer)
• sub: Token subject (subject)
• aud: Token audience
• exp: Token expiration date
• nbf: Token not before date
• iat: Token issued at date
• jti: Unique identifier of the token (JWT ID)

Third part : The secret key

Kr-Afzzs-u8cbrmSixS__6O85AeQeflMWJPC6rUyEDU

The role of this last part assure that the JWT isn’t modified.

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  super_secret_key
)

If the token and the secret key do not correspond, the JWT is deemed invalid or has been altered by the user.

It is essential that the super_secret_key remains undisclosed to the user, as any knowledge of it could compromise the system’s security.

When the token and the secret key fail to match, it signals that the JWT is not legitimate or has been tampered with by the user.

To maintain the integrity of the system, the super_secret_key must be kept confidential, preventing any unauthorized access or manipulation by the user.

The Pros of Using JWT over Classic Session Tokens

1. Statelessness: JWTs are self-contained, meaning all necessary information is within the token itself. This eliminates the need for server-side storage or database lookups, making JWTs inherently stateless and highly scalable.

2. Reduced Database Queries: Without the reliance on database queries for each request, JWTs reduce the server’s processing overhead and improve response times, enhancing overall system performance.

3. Interoperability: JWTs are language and platform-agnostic, allowing them to be easily used across different services, APIs, and microservices.

The Cons of Using JWT over Classic Session Tokens

1. Token Size: While JWTs are efficient, the inclusion of user information directly within the token can lead to larger token sizes compared to session tokens, especially when carrying extensive claims.

2. Security Concerns: Compromising the secret key can lead to unauthorized access to user information. It is crucial to store and manage the secret key securely.

3. Limited Control Over Tokens: Unlike session tokens, once a JWT is issued, its validity cannot be revoked or modified without resorting to additional techniques like token blacklisting.

Conclusion

JSON Web Tokens (JWTs) have emerged as a game-changer in modern web authentication, offering a stateless, efficient, and secure alternative to traditional session tokens. By encapsulating user information and reducing the reliance on database queries, JWTs have simplified authentication processes, improved performance, and facilitated the development of scalable web applications. However, developers must remain vigilant about secure secret key management and token expiration to mitigate potential risks. Understanding the pros and cons of JWTs allows developers to make informed decisions and leverage their power effectively in designing robust and secure authentication systems.