JSON Web Tokens (JWT)
Introduction
3 Parts of a JWT
Header - Contains information about the Token
Payload/Claims - Actual Token data
Signature/JWS - Used for Token validation
Header.Claims.JWS
Header
The header contains the metadata for the token and at a minimal contains the type of the signature and/or encryption algorithm
Claims
The claims contains any information that you want signed
Standard Keys/Properties
“sub”
“email”
“iss”
“aud”
“iat”
“exp”
“nonce”
“auth_time”
JSON Web Signature (JWS)
The headers and claims digitally signed using the algorithm in the specified in the header
The header and claims are JSON that are base64 encoded for transport. The header, claims, and signature are appended together with a period character .
Creating a JWT Token:
var headers = base64URLencode(myHeaders);
var claims = base64URLencode(myClaims);
var payload = header + “.” + claims;
var signature = base64URLencode(HMACSHA256(payload, secret));
var encodedJWT = payload + “.” + signature;
Store tokens in Cookies
cross-site request forgery (CSRF) - Cookies
cross-site scripting (XSS) - WebStorage
References
https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
https://github.com/jwtk/njwt
https://stormpath.com/blog/jwt-the-right-way
https://en.wikipedia.org/wiki/Replay_attack
https://stormpath.com/blog/csrf-protection-jwt-spring-security
https://www.oodlestechnologies.com/blogs/Authentication-With-JWT-In-Microservice-Architecture
http://alexander.holbreich.org/jwt/
https://medium.com/@earlg3/serverless-in-the-google-cloud-with-firebase-cloud-functions-3cc004648ba3
https://stormpath.com/blog/token-authentication-scalable-user-mgmt