{"id":2969,"date":"2021-01-24T17:54:58","date_gmt":"2021-01-25T01:54:58","guid":{"rendered":"https:\/\/SUMMALAI.COM\/?p=2969"},"modified":"2021-01-24T17:55:00","modified_gmt":"2021-01-25T01:55:00","slug":"json-web-token-structure-three-parts-separated-by-dots","status":"publish","type":"post","link":"https:\/\/SUMMALAI.COM\/?p=2969","title":{"rendered":"JSON Web Token Structure – Three Parts Separated by Dots"},"content":{"rendered":"\n
All Auth0-issued JWTs have\u00a0JSON Web Signatures (JWSs), meaning they are signed rather than encrypted. A JWS represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures.<\/p>\n\n\n\n
A well-formed JWT consists of three concatenated Base64url-encoded strings, separated by dots (.<\/code>):<\/p>\n\n\n\n
JOSE Header<\/strong>: contains metadata about the type of token and the cryptographic algorithms used to secure its contents.<\/li>
JWS payload<\/strong>\u00a0(set of\u00a0claims): contains verifiable security statements, such as the identity of the user and the permissions they are allowed.<\/li>
JWS signature<\/strong>: used to validate that the token is trustworthy and has not been tampered with. When you use a JWT, you\u00a0must<\/strong>\u00a0check its signature\u00a0before storing and using it.<\/li><\/ul>\n\n\n\n
A JWT typically looks like this:<\/p>\n\n\n\n<\/figure>\n\n\n\n
To see for yourself what is inside a JWT, use the\u00a0JWT.io Debugger. It allows you to quickly check that a JWT is well formed and to manually inspect the values of the various claims.<\/p>\n\n\n\n<\/figure>\n\n\n\n
JOSE header<\/h3>\n\n\n\n
JSON object containing the parameters describing the cryptographic operations and parameters employed. The JOSE (JSON Object Signing and Encryption) Header is comprised of a set of Header Parameters that typically consist of a name\/value pair: the hashing algorithm being used (e.g., HMAC SHA256 or RSA) and the type of the JWT.<\/p>\n\n\n\n
The payload contains statements about the entity (typically, the user) and additional entity attributes, which are called claims. In this example, our entity is a user.<\/p>\n\n\n\n
When working with JWT claims, you should be aware of the different claim types and naming rules.<\/p>\n\n\n\n
JWS signature<\/h3>\n\n\n\n
The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn’t changed along the way.<\/p>\n\n\n\n
To create the signature, the Base64-encoded header and payload are taken, along with a secret, and signed with the algorithm specified in the header.<\/p>\n\n\n\n
For example, if you are creating a signature for a token using the HMAC SHA256 algorithm, you would do the following:<\/p>\n\n\n\n
![\"JSON](\"https:\/\/images.ctfassets.net\/cdy7uua7fh8z\/7FI79jeM55zrNGd6QFdxnc\/80a18597f06faf96da649f86560cbeab\/encoded-jwt3.png\")
<\/figure>\n\n\n\n![\"JWT](\"https:\/\/images.ctfassets.net\/cdy7uua7fh8z\/5U3Azt2AReuNzNuQqkRs5\/9629ab9924a0212b74bee0b8fa88c295\/legacy-app-auth-5.png\")
<\/figure>\n\n\n\n