-->

  • Breaking It Down JWT Authentication

     

    Breaking It Down JWT Authentication

     

     Breaking It Down JWT Authentication

     

    JWT (JSON web token) authentication is a widely used method for securely transmitting information between parties as a JSON object. It is a token-based approach often employed in web applications for authentication and authorization purposes. 

     

    How JWT Works

     

    1) Token creation: When a user logs in or registers, the server creates a token (JWT) that contains encoded information (claims) such as user ID or roles. This token is signed (often using  a secret key or a public/private key) to ensure its integrity.

     

     2) Token Structure: A JWT consists of three parts:

     

    i) Header: Contains information about the token type (JWT) and the signing algorithm (eg: HMAC SHA256).

    ii) Payload: Contains the claims (user data and metadata)

    iii) Signature: Created using the header, payload, and a secret key.

     

     

     Benefits of JWT for Registration Authentication

     

    i) Stateless: JWTs enable stateless authentication, meaning the server doesn't need to store user session data. All information is encoded in the token, making it lightweight and scalable.

    ii) Security: JWTs are signed, so can't be tempered and without invalidating the signature.

    iii) Easy to Use: JWTs are easy to create and vaidate, making them ideal for handling user registration, email verification, OTP verification and more.

     

     

    Breaking it Down

     

     

     

    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkF0dWwgS3VtYXIiLCJlbWFpbCI6Imt1bWFyYXR1bGphaXN3YWwyMjJAZ21haWwuY29tIiwiaWF0IjoxNTE2MjM5MDIyfQ.YOdnmqIgD7L2PU0xHpGVzL_-tgiktaWk17hAIm__bC0

     

     

     A JWT (JSON web token) is a base64-encoded string that consists of three parts. Header, Payload, and signature, separated by dots (.) . Here's an example of what a JWT look like after a user registers:


    1] Header: Encoded metadata about the token



    {
  "alg": "HS256",
  "typ": "JWT"
}



    alg: Algorithm used for signing (Eg. HS256 for HMAC SHA-256).

    typ: Token type (always JWT)


    Encoded as Base64:


    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9



    2] Payload: Contains claims or user-related data.



    {
  "sub": "1234567890",
  "name": "Atul Kumar",
  "email": "kumaratuljaiswal222@gmail.com",
  "iat": 1516239022
}



    userId: A unique identifier for the user (Eg: database ID)

    name: User's name

    email: User's email address

    iat: Issued At Time (UNIX timestamp of when the token was created)


    Encoded as Base64:

     

     

    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkF0dWwgS3VtYXIiLCJlbWFpbCI6Imt1bWFyYXR1bGphaXN3YWwyMjJAZ21haWwuY29tIiwiaWF0IjoxNTE2MjM5MDIyfQ

     

     

    3] Signature: Ensures the token's integrity, Created using the encoded header, encoded payload, and a secret key (eg: mysecretkey).

     

     


    HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)


     The result:


     

    YOdnmqIgD7L2PU0xHpGVzL_-tgiktaWk17hAIm__bC0

     

     

     Full JWT Structure:


    [Header].[Payload].[Signature]

     

     

    JWT Auth Code  


    Link - https://github.com/whoiskumaratul/jwt-authentication.git

     


    Notes:



    Readable Information: The Header and Payload are Base64-encoded and can be decoded to see the content. This is why sensitive data (e.g., passwords) should never be included in a JWT.

    Signature Security: The Signature ensures the token hasn't been tampered with. Without the secret key, an attacker cannot forge a valid token.

    Expiration:     Typically, JWTs also include an expiration (exp) claim to ensure the token is valid only for a certain time frame.

    Adding an expiration claim example to the payload:

     

     

    {
  "sub": "1234567890",
  "name": "Atul Kumar",
  "email": "kumaratuljaiswal222@gmail.com",
  "iat": 1516239022
  "exp": 1689692100
}

     

     

     This JWT would expire in 1 hour (if iat is 1516239022 and exp is 1689692100).

     

     

     


     

    Disclaimer



    All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.

     

     

    • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.