Header add

In this article we will discuss the brief description about JWT (Json Web Token). If you miss our previous article then please go through the link How to secure ASP.NET Web API using Basic Authentication and Token Based Authentication in Web API. In this article we will cover
  • What is JWT  ?
  • Structure of JWT  ?
  • How JWT works ?
  • How we use JWT ?

What is JWT  ?

JWT stand for JSON Web Token.It is an open standard means anybody can use it.It securely transfers information between any two servers.It is digitally signed means it is verified and trusted. There is no alteration of data while transfer.It can be signed using a secret (with the HMAC algorithm) or a public/private key pair by using RSA or ECDSA(Elliptic Curve Digital Signature Algorithm) encryption.It is highly compact. JWT is used to send via URL using POST request and HTTP Header.It provides a fast transmission of data.

For more details of JWT please visist the official site https://jwt.io/

JWT ensures you, the sent data is actually created from an authentic source. When a user sends a request to the server with a valid credential. A JSON Web Token will be returned back to the user from the server. A user has to send again request to the server with the received JWT, typically in the Authorization header using the Bearer schema. The server will check for a valid JWT in the Authorization header received from the user request, and if it’s present, the user will be allowed to access protected resources.

 Structure of JWT ?

JWT is basically a string text containing three different parts separated by dot(.)  header.payload.signature

Header – This is the first separated part of JSON Web Token which basically Identifies which algorithm is used to generate the signature like MAC SHA256 or RSA. Below is the example
    "alg" : "HS256",
    "typ" : "JWT"
The "typ" key specifies that the object is a JWT, and the value of the "alg" key specifies which hashing algorithm is being used to create the JWT signature component. In our case, we are using the SHA256 algorithm, a one way hashing algorithm that uses a secret key in order to compute the signature.

Payload – This is the second separated part of JSON Web Token which basically contains the claims.
Claims are the statements about the entity, such as a user. And also, the payload contains the additional metadata. Below is the example of payload
      "sub": "1234567890",
      "name": "CoreProgramm",
      "iat": 1516239022
There are three types of Claims: Registered, Public, and Private.
  • Registered claims are set of the predefined claims which is mainly recommended but that are not eventually mandatory. Here, the claim names are three characters long, so JWT can be as compact as possible. In our article we have used registered claims.
  • Public claims are claims that can be defined at your "own will" just to avoid the collisions, which means there is no any restriction has been set. claims should be defined in Internet Assigned Numbes Authority (IANA ) Json.
  • Private claims are the custom claims that are mainly created to share the information between user and server.
You can put as many claims as you like, these fields can be useful when creating JWT, but they are optional.Never put any important and secure information in the Payload because an attacker can access it.

Signature – This is third and last separated part of JSON Web Token which basically securely validates the token. The signature is used to verify that the message wasn’t changed in transition. To create a signature you have to take the encoded header and the encoded payload, a secret(the algorithm specified in the header), and sign that.
    base64UrlEncode(header) + "." +
The resulting string(encoded header and the encoded payload) is concatenated with a period(.) separator, and then run through the cryptographic algorithm specified in the header, in this example we are using HMAC-SHA256.

Generating JWT Token

We have already created all the three components, now we are ready to create the JWT. Remember the header.payload.signature structure of the JWT, we simply need to combine the components, with periods (.) separating them. We use the base64url encoded versions of the header, payload, and the signature.

The JWT token look like below; You can generate your token through the link https://jwt.io/

How to use JWT Token ?

While authentication, just after the user successfully send a request to the server with their valid credentials, a JSON Web Token will be returned. The tokens are a way to authenticate the request. Now the token is always to be sent with request typically in the Authorization header using the Bearer schema. Please note down how to send a request with JWT received token.

Add the generated token in Authentication header as Bearer token
For practical example of how the JWT token please go through our next article where we create a WEB API and test it through in POSTMAN using Bearer token as Authentication header.
JWT Authentication in ASP.NET WEB API

Post a Comment

Previous Post Next Post