Authorisation using JWT Tokens

aditya goel
6 min readNov 8, 2022

Question: JWTs enable the Client side Sessions. Comment ?

  • JWT is different from the SessionId, because In case of SessionId, it’s the server’s headache to manage all the data, whereas in case of JWT, it’s the client’s headache to store and manage all the data.
  • JWT is a Value Token, which itself contains all the necessary details. Comment.

Question: How does a JWT Token looks like ?

Question: What are the components of a JWT Token ?

Note that, Payload is also known as Claim-Set, so we can also consider the JWT (aka JSON Web Encrypted Tokens) as below :-

Question: Can you showcase the different parts of the JWT Token ?

Question: What else can ClaimSet/Payload contain ?

  • sub → subject → The user/client who have requested for JWE token.
  • iss → issues → The one server, who actually issues a token.
  • exp → expiry → The expiry timer of the token.

Question: Who generates the JWT Token in this case ? Is it generated by Server ?

Question: Whats the purpose of JWT Token ? Is it Authorization ?

Question: Can you explain how does JWT works end to end ?

Question: How the flow diagram looks like for using JWT for Authorisation?

Question: How does JWT is being stored by the Client ?

Question: How does JWT works ?

Question: How does Server generates the JWT ?

  • First server generates the Base64 encoded URL for both Header & Payload.
  • Next, it generates the signature by the help of (header+payload) and the secret key.

Question: How does Server examines, whether the JWT token is correct OR not ?

  • First, server examines the three parts of the JWT token :-
  • Secondly, server computes the signature (third part of the JWT token) on it’s own, with the help of first two parts + secret. Later, it compares this generated part with the 3rd part of JWT token. If it matches, JWT authorisation is succesful, else not.

Question: What carefulness should we keep while working with JWT ?

Question: JWTs can be stolen easily. So, anyone else can also impersonate, if this JWT token is being stolen. Comment.

Question: Whats the solution to the problem of JWTs being stolen ?

Question: What’s the usual approach of using JWT tokens in more secured manner (In Banking Industry) ?

Question: How does Server to Server communication happens with JWT tokens ?

Question: What are the types of algorithms, that can be used to geenrate the signature ?

Answer: Primarily there are 2 types of algos being used majorly :-

1.) HMAC-SHA-256 (“HS256”) → HMAC-SHA256 is commonly used for message authentication and integrity checking in various protocols and applications, including digital signatures, VPNs, and secure messaging

  • SHA-256 is a one-way function that takes an input-message and produces a fixed-size output, called a hash, which is unique to the input message. The output of SHA-256 is 256 bits long, and it is designed to be fast and efficient.
  • HMAC-SHA256, on the other hand, is a keyed hash function that combines a secret key with the input-message before applying the SHA-256 hash function.
  • This provides an additional layer of security by ensuring that the integrity and authenticity of the message can only be verified by someone who has access to the secret key.
  • The secret-key that is shared between the two parties used to generate the hash that will serve as the signature. Since the same key is used both to generate the signature and to validate it, care must be taken to ensure that the key is not compromised.

2.) RSASSA with SHA-256 (“RS256") → RS256 (RSA Signature with SHA-256) is an asymmetric algorithm.

  • It uses a public/private key pair: the identity provider has a private (secret) key used to generate the signature, and the consumer of the JWT gets a public key to validate the signature.
  • Since the public key, as opposed to the private key, doesn’t need to be kept secured, most identity providers make it easily available for consumers to obtain and use (usually through a metadata URL).

Conclusion →

  • If you will be developing the application consuming the JWTs, you can safely use HS256, because you will have control on who uses the secret keys.
  • If, on the other hand, you don’t have control over the client, or you have no way of securing a secret key, RS256 will be a better fit, since the consumer only needs to know the public (shared) key.

Question: How does we use HMAC based HS256 algo ?

Answer:- This is a Symmetric key Cryptography. Single key is being used by both the servers for creating and verifying the tokens.

Question: How does we use RSASSA algo ?

Answer:- This is Asymmetric key Cryptography. two different keys are being used i.e. Public Key & Private Key.

Now, Public keys are being exchanged between the servers, whereas private keys are kept secretly.

The advantage of the Assymetric RSA algo based approach is that, even if say Server-B gets hacked, then still they can’t impersonate as Server-A, because they don’t have the secret key of server-A.

That’s all in this series. Pl clap on the page, if you liked reading it.



aditya goel

Software Engineer for Big Data distributed systems