Skip to content

Latest commit

 

History

History
54 lines (47 loc) · 1.2 KB

jwt.md

File metadata and controls

54 lines (47 loc) · 1.2 KB
Raw

Background

Working with authentication and authorization in web space, one cannot escape JWT and its variant. This is my short-note on the format.

What is JWT?

JWT looks something like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Which is three base64-url encoded parts, separated by dot (go find the two dots in example above).

  • Header 
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
    which decodes to 
    {
    "alg": "HS256",
    "typ": "JWT"
}
  • Body 
    eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ
    which decodes to 
    {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022
}
  • Signature 
    SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
    which does not decode. This is the value of: 
    HMACSHA256(
    base64UrlEncode(header) + "." +
    base64UrlEncode(payload),
    SecretKey
)

Futher Reading?