What is JWT token?
Json Web Token is just a JSON data encoded and signed with a private key. Since it is signed, it is impossible to tamper the data. In the presence of the private key, the data can be verified (for integrity and authenticity) across multiple servers.
The JWT token consists of three parts:
Header.Body.Signature
Example:
Header contains, among other things, what algorithm is used to sign the token.
Body is just the Base64URL encoded JSON data. Body is also called Claims in JWT terminology. We will learn about Claims in a later section below.
Signature contains, depending on the selected algorithm (specified in Header section), the signature of the Body signed with a private key. The private key shall be kept secret.
Since the Session data is just a key-value pairs, it can be stored as JSON payload in the JWT token.
Claims are fields in JSON data section of the token. The establish certain information about the token like when it was issued, who issued it, whom it is intended for, etc.
Issuer Claim is stored as iss in the JWT body. It establishes who issued the token in the first place.
Audience Claim is stored as aud in the JWT body. It is a list. It identifies the intended recipients of the token. The issuer sets it when the token is issued.
When a client makes a request to the server with a token, the recipient server shall check whether it is listed in the audience field. If it is not listed, the request shall be rejected.
Subject Claim is stored as sub in the JWT body. It identifies the client for which the token is issued.
For example, it identifies the logged-in user, when the token is used for user authorization.
Expiry Claim is stored as exp in the JWT body. It specifies the seconds since epoch at which the token shall expire.
Issued at Claim is stored as iat in the JWT body. It specifies the seconds since epoch at which the token was issued.
In the next article, we will explore how to use store sessions on JWT.