Authorisation using JWT Tokens

  • JWT is different from the SessionId, because In case of SessionId, it’s the server’s headache to manage all the data, whereas in case of JWT, it’s the client’s headache to store and manage all the data.
  • JWT is a Value Token, which itself contains all the necessary details. Comment.
  • sub → subject → The user/client who have requested for JWE token.
  • iss → issues → The one server, who actually issues a token.
  • exp → expiry → The expiry timer of the token.
  • First server generates the Base64 encoded URL for both Header & Payload.
  • Next, it generates the signature by the help of (header+payload) and the secret key.
  • First, server examines the three parts of the JWT token :-
  • Secondly, server computes the signature (third part of the JWT token) on it’s own, with the help of first two parts + secret. Later, it compares this generated part with the 3rd part of JWT token. If it matches, JWT authorisation is succesful, else not.
  • HMAC SHA-256 (“HS256”).
  • RSASSA with SHA-256 (“RS256").

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store