Wednesday, 20 November 2024

What information JWT token contains

            No comments   

JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. In the context of a Web API, a JWT typically contains three main parts:

1. Header:

  • The header typically consists of two parts:
    • Type: This is usually "JWT" to indicate the token format.
    • Algorithm: The algorithm used for signing the token, such as HS256 (HMAC SHA-256) or RS256 (RSA SHA-256). The algorithm ensures the integrity of the token and prevents it from being tampered with.

Example of a header:

{
    "alg": "HS256",
    "typ": "JWT"
  }

2. Payload:

  • The payload contains the claims or the information being transmitted. There are three types of claims:
    • Registered Claims: These are predefined claims that are recommended to use, but not mandatory. Examples include:
      • iss (Issuer): The entity that issued the token.
      • sub (Subject): The subject or user the token is about.
      • aud (Audience): The intended recipient of the token.
      • exp (Expiration Time): The expiration time of the token (timestamp).
      • iat (Issued At): The timestamp when the token was issued.
      • nbf (Not Before): The timestamp before which the token should not be accepted.
      • jti (JWT ID): A unique identifier for the token.
    • Public Claims: These are claims that can be defined by anyone, but they should be collision-resistant (e.g., using a URI).
    • Private Claims: These are custom claims that are used between the issuer and the consumer (API server). These claims contain application-specific information, such as user roles, permissions, etc.

Example of a payload:

var claims = new[]
{
    new Claim(JwtRegisteredClaimNames.Sub, "userid"), // Registered Claims
    new Claim(JwtRegisteredClaimNames.Name, username), // Registered Claims
    new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
    new Claim("role", "admin"), // Custom Claims
    new Claim("email", "johndoe@example.com") // Custom Claims
};

3. Signature:

  • The signature is created by concatenating the encoded header and payload, and then signing them using the secret key (e.g., secretkey) and the algorithm (HS256).

Example process of creating the signature:

  • Take the encoded header and payload.
  • Concatenate them with a period (.) separator: header.payload.
  • Sign this concatenated string with the specified algorithm and secret key.
  • Base64Url encode the resulting signature.

The final JWT looks like:

header.payload.signature

Example of a Complete JWT:

A complete JWT token might look like this (note that these parts are base64url-encoded):

eyJhbGciOiAiSFMyNTYiLCJ0eXAiOiAiSl"..."...

Summary:

  • Header: Contains metadata like the algorithm and token type.
  • Payload: Contains the claims or information (such as user ID, roles, etc.).
  • Signature: Ensures the integrity of the token and verifies the sender’s identity.

In the context of Web APIs, JWTs are used to authenticate and authorize users, securely transmitting user data (like a user ID or roles) between the client and the server. The server can verify the authenticity of the JWT and extract relevant information to grant access to resources or perform other actions.



0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Topics

ADFS (1) ADO .Net (1) Ajax (1) Angular (47) Angular Js (15) ASP .Net (14) Authentication (4) Azure (3) Breeze.js (1) C# (55) CD (1) CI (2) CloudComputing (2) Coding (10) CQRS (1) CSS (2) Design_Pattern (7) DevOps (4) DI (3) Dotnet (10) DotnetCore (20) Entity Framework (5) ExpressJS (4) Html (4) IIS (1) Javascript (17) Jquery (8) jwtToken (4) Lamda (3) Linq (10) microservice (4) Mongodb (1) MVC (46) NodeJS (8) React (10) SDLC (1) Sql Server (32) SSIS (3) SSO (1) TypeScript (3) UI (1) UnitTest (2) WCF (14) Web Api (16) Web Service (1) XMl (1)

Dotnet Guru Archives