Last Updated: 2024-04-25

JWT (JSON Web Token) is an alternative to session-based authentication

Example

You take a header like so

{
  "alg": "HS256",
  "typ": "JWT"
}

and then a payload

{
  "name": "John Doe",
  "user_id": 1516239022,
  "admin": true
}

and a secret (256 bit)

then process is as follows

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  your-256-bit-secret
)

to get a lump of signature: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Commonalities

In both cases, once the user is authenticated for the first time, the server sends a seemingly random string to the client, which the client stores in persistent storage (e.g. web storage, cookies, NSUserDefaults) and with every subsequent request, the client will send the string which is used to identify the user_id on the server.

Pros of JWT

Better for cross-domain / micro-services

• Works well cross-domain since the information is stored in any old HTML header instead of a cookie, which will not get transferred to a different domain.
• You can have a separate authorization server that deals with login / registration and generates the token, then all the subsequent requests will not need to have to go to the authorization server because your other severs will have the public-key to verify the signature (and only the auth server has the private key of course)

No server state needed for sessions

• if you store sessions in the database, then a lookup is needed during each request
• that said: of course, it's possible for the whole session to be stored in an encrypted cookie (if data size < 4kb) or in memcached, so this advantage is overblown

Cons of JWT

Only one key

The best and the worst thing about JWT is that it relies on just one key. If this key is leaked, the whole system is compromised! The only way to recover from this point is to generate a new key pair. This would mean all the current user tokens are invalidated and each user would have to login again.

Impossible to log out clients from server

• Consider the case that a user's mobile device is stolen, and she wants to log out of all existing sessions(e.g. something like Gmail's log out other sessions feature). Well its not possible in case of JWT, since the information in the token will still be decoded as giving access.
• By comparison, with DB-backed sessions, you can delete the session entry in the DB

Resources

• https://medium.com/@rahulgolwalkar/pros-and-cons-in-using-jwt-json-web-tokens-196ac6d41fb4