Let’s deep dive into the details.
JWT has been there for years. as a mature authentication standard, there is a lot of really great information out there that explains what a JWT is.
In this article I’d like to discuss the flow of the authentication by using JWT, and the difference between the algorithms.
And to make sure you will understand in 5 mins.
Let’s start.
What is the JWT token?
I think you already have an idea of what is JWT token.
It is a string containing 3 parts (delimiter is .) each part encoded with base64.
Here is a sample token.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiJhYmMiLCJuYW1lIjoiYWJjQHRlc3QuY29tIiwiaWF0IjoxNjgwMzUyMzY2fQ.
ifby77X8gnrFtiDhvrcciBigv4cJwUgPjwK5dspBGk4So as you can see there are 3 encoded stings.
- header
{
"alg": "HS256",
"typ": "JWT"
}- payload
{
"sub": "abc",
"name": "abc@test.com",
"iat": 1680352366
}- signature
HMACSHA256(
base64UrlEncode(header) + "." +
base64UrlEncode(payload),
T0pS@crept!!!
)- Header. only stores algorithm and type information. you only need to care about the alg field. (later will explain)
- Payload, to keep it…
