Breaking It Down JWT Authentication

JWT (JSON web token) authentication is a widely used method for securely transmitting information between parties as a JSON object. It is a token-based approach often employed in web applications for authentication and authorization purposes. 

How JWT Works

1) Token creation: When a user logs in or registers, the server creates a token (JWT) that contains encoded information (claims) such as user ID or roles. This token is signed (often using  a secret key or a public/private key) to ensure its integrity.

 2) Token Structure: A JWT consists of three parts:

i) Header: Contains information about the token type (JWT) and the signing algorithm (eg: HMAC SHA256).

ii) Payload: Contains the claims (user data and metadata)

iii) Signature: Created using the header, payload, and a secret key.

 Benefits of JWT for Registration Authentication

i) Stateless: JWTs enable stateless authentication, meaning the server doesn't need to store user session data. All information is encoded in the token, making it lightweight and scalable.

ii) Security: JWTs are signed, so can't be tempered and without invalidating the signature.

iii) Easy to Use: JWTs are easy to create and vaidate, making them ideal for handling user registration, email verification, OTP verification and more.

Breaking it Down

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkF0dWwgS3VtYXIiLCJlbWFpbCI6Imt1bWFyYXR1bGphaXN3YWwyMjJAZ21haWwuY29tIiwiaWF0IjoxNTE2MjM5MDIyfQ.YOdnmqIgD7L2PU0xHpGVzL_-tgiktaWk17hAIm__bC0

 A JWT (JSON web token) is a base64-encoded string that consists of three parts. Header, Payload, and signature, separated by dots (.) . Here's an example of what a JWT look like after a user registers:

1] Header: Encoded metadata about the token

{
  "alg": "HS256",
  "typ": "JWT"
}

alg: Algorithm used for signing (Eg. HS256 for HMAC SHA-256).

typ: Token type (always JWT)

Encoded as Base64:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

2] Payload: Contains claims or user-related data.

{
  "sub": "1234567890",
  "name": "Atul Kumar",
  "email": "kumaratuljaiswal222@gmail.com",
  "iat": 1516239022
}

userId: A unique identifier for the user (Eg: database ID)

name: User's name

email: User's email address

iat: Issued At Time (UNIX timestamp of when the token was created)

Encoded as Base64:

eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkF0dWwgS3VtYXIiLCJlbWFpbCI6Imt1bWFyYXR1bGphaXN3YWwyMjJAZ21haWwuY29tIiwiaWF0IjoxNTE2MjM5MDIyfQ

3] Signature: Ensures the token's integrity, Created using the encoded header, encoded payload, and a secret key (eg: mysecretkey).

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

 The result:

YOdnmqIgD7L2PU0xHpGVzL_-tgiktaWk17hAIm__bC0

 Full JWT Structure:

[Header].[Payload].[Signature]

JWT Auth Code  

Link - https://github.com/whoiskumaratul/jwt-authentication.git

Notes:

Readable Information: The Header and Payload are Base64-encoded and can be decoded to see the content. This is why sensitive data (e.g., passwords) should never be included in a JWT.

Signature Security: The Signature ensures the token hasn't been tampered with. Without the secret key, an attacker cannot forge a valid token.

Expiration: Typically, JWTs also include an expiration (exp) claim to ensure the token is valid only for a certain time frame.

Adding an expiration claim example to the payload:

{
  "sub": "1234567890",
  "name": "Atul Kumar",
  "email": "kumaratuljaiswal222@gmail.com",
  "iat": 1516239022
  "exp": 1689692100
}

 This JWT would expire in 1 hour (if iat is 1516239022 and exp is 1689692100).

Disclaimer