Authorisation using JWT Tokens

Question: JWTs enable the Client side Sessions. Comment ?

• JWT is different from the SessionId, because In case of SessionId, it’s the server’s headache to manage all the data, whereas in case of JWT, it’s the client’s headache to store and manage all the data.
• JWT is a Value Token, which itself contains all the necessary details. Comment.

Question: How does a JWT Token looks like ?

Question: What are the components of a JWT Token ?

Note that, Payload is also known as Claim-Set, so we can also consider the JWT (aka JSON Web Encrypted Tokens) as below :-

Question: Can you showcase the different parts of the JWT Token ?

Question: What else can ClaimSet/Payload contain ?

• sub → subject → The user/client who have requested for JWE token.
• iss → issues → The one server, who actually issues a token.
• exp → expiry → The expiry timer of the token.

Question: Who generates the JWT Token in this case ? Is it generated by Server ?

Question: Whats the purpose of JWT Token ? Is it Authorization ?

Question: Can you explain how does JWT works end to end ?

Question: How the flow diagram looks like for using JWT for Authorisation?

Question: How does JWT is being stored by the Client ?

Question: How does JWT works ?

Question: How does Server generates the JWT ?

• First server generates the Base64 encoded URL for both Header & Payload.
• Next, it generates the signature by the help of (header+payload) and the secret key.

Question: How does Server examines, whether the JWT token is correct OR not ?

• First, server examines the three parts of the JWT token :-

• Secondly, server computes the signature (third part of the JWT token) on it’s own, with the help of first two parts + secret. Later, it compares this generated part with the 3rd part of JWT token. If it matches, JWT authorisation is succesful, else not.

Question: What carefulness should we keep while working with JWT ?

Question: JWTs can be stolen easily. So, anyone else can also impersonate, if this JWT token is being stolen. Comment.

Question: Whats the solution to the problem of JWTs being stolen ?

Question: What’s the usual approach of using JWT tokens in more secured manner (In Banking Industry) ?

Question: How does Server to Server communication happens with JWT tokens ?

Question: What are the types of algorithms, that can be used to geenrate the signature ?

Answer: Primarily there are 2 types of algos being used majorly :-

• HMAC SHA-256 (“HS256”).
• RSASSA with SHA-256 (“RS256").

Question: How does we use HMAC based HS256 algo ?

Answer:- This is a Symmetric key Cryptography. Single key is being used by both the servers for creating and verifying the tokens.

Question: How does we use RSASSA algo ?

Answer:- This is Asymmetric key Cryptography. two different keys are being used i.e. Public Key & Private Key.

Now, Public keys are being exchanged between the servers, whereas private keys are kept secretly.

The advantage of the Assymetric RSA algo based approach is that, even if say Server-B gets hacked, then still they can’t impersonate as Server-A, because they don’t have the secret key of server-A.

That’s all in this series. Pl clap on the page, if you liked reading it.