JWT Web Authentication
JWT Web Authentication
WEB AUTHENTICATION
USING JWT
AVIPSA MOHANTY
Regd.No: 2001289086
Seminar Report on
WEB AUTHENTICATION
USING JWT
Submitted in Partial Fulfillment of
The Requirement for the 7th
Sem. Seminar
Bachelor of Technology
In
Computer Science & Engineering
Submitted by
AVIPSA MOHANTY
Regd.No: 2001289086
CERTIFICATE
This is to certify that this Seminar Report on the topic entitled WEB
AUTHENTICATION USING JWT which is submitted by Avipsa Mohanty
bearing Registration No.: 2001289086 in partial fulfillment of the
requirement for the award of the of Bachelor of Technology in Computer
Science & Engineering of Biju Patnaik University of Technology,
Odisha, is a record of the candidate's own work carried out by her under my
supervision.
ABSTRACT
This paper explores the intricacies of web authentication using JSON Web Tokens (JWTs),
emphasizing their significance in securing and streamlining user access in web applications.
We delve into the fundamental concepts of JWTs, including their structure, digital
signatures, and claims, highlighting their role in verifying user identities and authorizing
access to protected resources. Additionally, we examine the advantages and challenges
associated with JWT-based authentication, emphasizing their compact nature, self-
containedness, and robust security features. To provide a practical perspective, we illustrate
the implementation of JWT authentication in a web application, showcasing the step-by-step
process of token generation, exchange, and validation. Finally, we conclude by discussing
best practices and considerations for implementing JWT-based authentication, enabling
developers to effectively protect user data and ensure seamless access to web applications.
Place: Bhubaneswar
Date: November 10, 2023 Avipsa Mohanty
ii
5
ACKNOWLEDGMENTS
I would like to express my special thanks of gratitude to my supervisor as well as our head
of the department who gave me the golden opportunity to do this wonderful seminar on the
topic, “Cross Platform Application Development”, which also helped me in doing a lot of
research and I came to know about so many new things. I am really thankful to all the
faculty members of our department who have helped us in getting to know the application
development process better
Place: Bhubaneswar
Date: July 12, 2023 Avipsa Mohanty
6
iii
Contents
1 Introduction
6 Conclusion 14
7 References 15
7
8
CHAPTER 1
In the realm of web applications, a diverse range of tokens serves crucial roles in verifying user
identities, validating access credentials, enabling re-authentication, and facilitating the exchange
of user information with third-party entities. Among these tokens, JSON Web Tokens (JWTs)
stand out as a widely adopted open standard renowned for their compactness, URL-safe nature,
and robust security features. JWTs empower web applications to securely transmit information
between two parties, typically a client and a server. These tokens provide users with the
capability to transfer information that is digitally signed and can be verified using either a shared
secret (HMAC) or a public-private key pair algorithm (RSA, ECDSA). For enhanced security,
JWTs are typically encoded in Base64, and in some cases, applications implement an additional
layer of protection by encrypting the JWT itself.
This paper delves into the realm of JWTs, specifically exploring their signature and
authentication mechanisms that underpin the security of web applications. Our research focuses
on two prominent web applications within the MIT domain: MIT COVID Pass, a platform that
tracks student information pertaining to COVID-19, including vaccination status, past
attestations (deprecated), test results, and Spectacle, a HackMIT platform that enables hackers to
upload and view projects from the hackathon. Both of these platforms leverage JWTs for user
authentication, but they employ distinct strategies for storing and handling these tokens. This
paper meticulously examines several common vulnerabilities associated with JWTs, presents our
in-depth investigation into these two platforms and the various attacks we attempted, and
concludes by outlining best practices and methodologies for bolstering the security of JWTs.
The widespread adoption of JWTs in web applications stems from their inherent advantages.
Their compactness allows for efficient transmission over networks, reducing bandwidth
consumption and minimizing latency in web applications. Additionally, their self-contained
nature eliminates the need to retrieve additional data from external sources, simplifying their use
and enhancing their portability. Furthermore, JWTs provide robust security features,
guaranteeing the integrity and authenticity of the transmitted information. The use of
cryptographic signatures ensures that tokens are tamper-proof and their origin can be verified.
However, despite their security benefits, JWTs are not without their potential vulnerabilities.
Improper key management practices can lead to compromised keys, enabling attackers to forge
tokens and gain unauthorized access. Additionally, the absence of token expiration mechanisms
can result in tokens being used indefinitely, increasing the risk of unauthorized access in the
event of token leaks or misuse. Moreover, the lack of a token revocation mechanism can hinder
the timely invalidation of compromised or outdated tokens, allowing attackers to exploit them for
malicious purposes.
To address these vulnerabilities and enhance the security of JWTs, several best practices should
be implemented. Firstly, robust key management strategies should be adopted, including the use
9
of strong, unique keys, secure storage mechanisms, and regular key rotation practices. Secondly,
token expiration mechanisms should be implemented to limit the validity period of tokens and
mitigate the risks associated with long-term token usage. Thirdly, a token revocation mechanism
should be established to enable the timely invalidation of compromised or outdated tokens,
preventing their misuse by unauthorized parties.
10
CHAPTER 2
A JSON Web Token (JWT) consists of three distinct sections separated by periods (.), each
playing a crucial role in its functionality and security:
1. Header
The header contains essential metadata about the token itself, providing information about its
type and the signing algorithm employed. This information is crucial for the receiver to properly
process and authenticate the token.
Token Type: The header specifies the type of token, which is always "JWT" in the case of JSON
Web Tokens.
Signing Algorithm: The header identifies the cryptographic algorithm used to sign the JWT,
ensuring the integrity and authenticity of the token. Common signing algorithms include HMAC
and RSA.
The payload carries the actual data that the sender intends to convey to the intended recipient.
This data is typically represented as a JSON object, containing key-value pairs that encapsulate
the relevant information.
The signature serves as the cryptographic proof of the token's authenticity and integrity. It is
generated by applying the signing algorithm specified in the header to the encoded header and
payload. The signature is then appended to the token, ensuring that any modifications to the
header or payload will invalidate the signature.
Application of the signing algorithm using the appropriate secret key or public/private key pair
Signature Validation
When the receiver receives the JWT, they perform signature validation to ensure the token's
authenticity and integrity. This involves:
Applying the signing algorithm using the appropriate secret key or public/private key pair
If the signatures match, the receiver can accept the payload as authentic and trustworthy.
However, if the signatures do not match, the token is deemed invalid and rejected.
Security Considerations
The security of JWTs hinges on the robustness of the signing algorithm and the proper handling
of secret keys or public/private key pairs. If these elements are compromised, attackers can forge
signatures, tamper with the payload, or impersonate authorized users.
JSON Web Tokens (JWTs) have emerged as a powerful tool for securely transmitting
information between parties in web applications, mobile apps, and APIs. At the heart of JWTs
lies the concept of claims, which are key-value pairs that convey information about the user or
application associated with the token.
Types of Claims
Registered Claims: These are standardized claims defined by the JWT specification,
ensuring interoperability across applications. Common registered claims include "iss" (issuer),
"sub" (subject), and "exp" (expiration time).
Public Claims: These are custom claims that can be defined by any party, but they should be
registered with the IANA JSON Web Token Claims Registry to avoid collisions. Public claims
are often used to provide additional user information, such as name, email, or social media
profiles.
Private Claims: These are non-standard claims that are specific to a particular application or
organization. They are not intended for public consumption and should not be registered with
IANA. Private claims are often used to store application-specific data or internal information.
Claims play a pivotal role in enabling secure and efficient information exchange between parties.
The payload of a JWT contains the claims, allowing the sender to convey relevant information
about the user or application to the recipient. For instance, a JWT used for authentication might
contain claims such as the user's identity, access permissions, and group memberships.
User Authentication: JWTs with claims such as "iss" and "sub" are used to verify user
identity and establish authentication sessions.
Authorization and Access Control: Claims like "roles" and "permissions" enable fine-
grained access control, restricting access to resources based on user privileges.
Profile Information Exchange: Claims can be used to exchange user profile information
between applications, facilitating seamless user experiences.
Application-Specific Data Exchange: Private claims can be used to store and exchange
application-specific data, enabling secure communication between components.
Security Considerations
While claims provide valuable information for secure communication, their usage requires
careful consideration of security implications:
Claim Validation: The recipient of a JWT should thoroughly validate the claims to ensure
their authenticity and integrity.
Claim Sensitivity: Sensitive personal information should be handled with utmost care, using
appropriate encryption and access control mechanisms.
Claim Scope Limitation: Only the necessary claims should be included in a JWT to
minimize exposure and reduce the attack surface.
By adhering to these security best practices, developers can leverage claims effectively while
safeguarding user information and maintaining the integrity of their applications.
14
JSON Web Tokens (JWTs) are an invaluable tool for securely transmitting information between
parties in web applications, mobile apps, and APIs. A crucial aspect of JWTs lies in the
processes of signing and verifying, which ensure the authenticity and integrity of the tokens.
The signing process involves applying a cryptographic algorithm to the header and payload of
the JWT. This algorithm generates a unique digital fingerprint, known as the signature, which
serves as a tamper-proof identifier of the token.
1. Encoding the Header and Payload: The header and payload are encoded using Base64
encoding, a method that converts binary data into a URL-safe format.
2. Applying the Signing Algorithm: The encoded header and payload are then combined
using a period (.), and the resulting string is passed through the specified signing
algorithm.
3. Generating the Signature: The signing algorithm, such as HMAC or RSA, produces a
unique signature based on the encoded header and payload, the secret key, or the private
key.
4. Appending the Signature: The generated signature is appended to the encoded header
and payload, forming the complete JWT.
When a recipient receives a JWT, they must verify the signature to ensure its authenticity and
integrity. This process involves:
1. Decoding the JWT: The received JWT is split into its three sections: header, payload,
and signature.
2. Re-encoding the Header and Payload: The header and payload are re-encoded using
Base64 encoding to match the original format.
3. Regenerating the Signature: The signing algorithm is applied to the re-encoded header
and payload using the appropriate secret key or public key.
4. Comparing Signatures: The regenerated signature is compared to the received
signature. If the signatures match, the token is considered authentic and its integrity is
verified.
Security Considerations
The signing and verification of JWTs are critical for maintaining security, and several factors
should be considered:
● Secret Key Management: Secret keys or private keys used for signing and verifying
JWTs must be handled with utmost care, preventing unauthorized access or disclosure.
● Signing Algorithm Strength: Strong and secure signing algorithms, such as RSA or
HMAC with SHA-256, should be employed to ensure the robustness of the signature.
● Token Expiration: JWTs should have an expiration time to limit their validity and
minimize the risk of unauthorized access in case of token leaks.
● Token Revocation Mechanism: A mechanism for revoking compromised or outdated
JWTs should be implemented to prevent their continued usage.
.
16
CHAPTER 3
Compactness is one of the key advantages of JSON Web Tokens (JWTs) and a significant
factor in their widespread adoption. JWTs are remarkably compact compared to other data
formats used for information exchange, such as XML. This compactness offers several benefits:
The compactness of JWTs stems from their efficient encoding and the use of JSON, a
lightweight data format. The header and payload of a JWT are Base64 encoded, which reduces
17
their size while maintaining their integrity. Additionally, JSON's syntax is concise and easily
parsed, further contributing to the compactness of JWTs.
In summary, the compactness of JSON Web Tokens (JWTs) is a significant advantage that
makes them well-suited for modern web applications, mobile apps, and APIs. Their reduced
size translates to faster transmission, lower bandwidth consumption, and enhanced storage
efficiency, making them a preferred choice for secure and efficient information exchange.
JSON Web Tokens (JWTs) are self-contained, meaning that they embed all the necessary
information within themselves to be verified and used without the need to fetch additional data
from external sources. This self-contained nature offers several advantages, including:
1. Reduced Dependency on External Servers: JWTs eliminate the need for querying
external servers to retrieve user information or validate claims, minimizing latency and
improving application performance.
2. Simplified Integration and Deployment: The self-contained nature of JWTs
simplifies their integration into existing applications and APIs, reducing development
time and complexity.
3. Offline Access and Caching: JWTs can be cached and used offline, enabling access
to protected resources even when an internet connection is unavailable.
4. Reduced Server Load: By embedding the necessary information within themselves,
JWTs reduce the load on servers, allowing them to focus on core application logic rather
than user authentication and authorization tasks.
The self-contained nature of JWTs is achieved through the inclusion of the header, payload, and
signature. The header contains information about the token itself, such as the signing algorithm
and token type. The payload contains the claims, which are key-value pairs that convey relevant
18
information about the user or application. The signature serves as a cryptographic proof of
the token's authenticity and integrity.
JSON Web Tokens (JWTs) provide robust security features, ensuring the integrity, authenticity,
and confidentiality of transmitted information. These features include:
1. Digital Signatures: JWTs are digitally signed using a secret key or a public/private
key pair, ensuring that the token has not been tampered with and its origin can be
verified.
2. Claims Validation: The recipient of a JWT can validate the claims within the payload
to ensure their authenticity and relevance. This validation process helps prevent
unauthorized access and protect sensitive information.
3. Token Expiration: JWTs typically have an expiration time, limiting their validity and
minimizing the risk of unauthorized access in case of token leaks or misuse.
4. Token Revocation Mechanism: A token revocation mechanism should be
implemented to enable the timely invalidation of compromised or outdated tokens,
preventing their misuse by unauthorized parties.
5. Encryption: In addition to signing, JWTs can be encrypted to protect sensitive
information from unauthorized access during transmission.
By employing these security features, JWTs provide a secure and reliable mechanism for
transmitting information between parties in web applications, mobile apps, and APIs.
Developers should carefully consider the security implications of JWT usage and implement
appropriate measures to protect sensitive data and prevent unauthorized access.
Additional Considerations
1. Key Management: Securely store and manage secret keys or private keys used for
19
CHAPTER 4
JSON Web Tokens (JWTs) are a powerful tool for securely transmitting information between
parties in web applications, mobile apps, and APIs. The process of creating JWTs involves
several steps, ensuring that the tokens are properly formatted, signed, and validated.
The header contains essential metadata about the token itself, providing information about its
type and the signing algorithm employed. This information is crucial for the receiver to
properly process and authenticate the token.
1. Token Type: Specify the type of token, which is always "JWT" for JSON Web
Tokens.
2. Signing Algorithm: Identify the cryptographic algorithm used to sign the JWT,
ensuring the integrity and authenticity of the token. Common signing algorithms include
HMAC and RSA.
The payload carries the actual data that the sender intends to convey to the intended recipient.
This data is typically represented as a JSON object, containing key-value pairs that encapsulate
the relevant information.
To create the payload, you'll need to define the key-value pairs that represent the desired
information. For instance, you might include a "username" key with the user's name, an "email"
key with the user's email address, and a "role" key with the user's role in the application.
The signature serves as the cryptographic proof of the token's authenticity and integrity. It is
generated by applying the signing algorithm specified in the header to the encoded header and
payload. The signature is then appended to the token, ensuring that any modifications to the
21
1. Encode the Header and Payload: Base64 encode the header and payload to
convert them into a URL-safe format.
2. Apply the Signing Algorithm: Use the signing algorithm specified in the header
to generate the signature from the encoded header, payload, and the appropriate secret
key or private key. For example, if using HMAC-SHA256, you would use the secret key
to hash the encoded header and payload, producing the signature.
3. Append the Signature: Combine the encoded header, encoded payload, and
generated signature, separating them with periods (.). The resulting string forms the
complete JWT.
● Header:
JSON
{
"alg": "HS256",
"typ": "JWT"
}
● Payload:
JSON
{
"username": "johndoe",
"email": "[email protected]",
"role": "admin"
}
22
Using the HMAC-SHA256 signing algorithm and a secret key "mysecretkey", the generated
JWT would be:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImjohbmRv
ZSIsImVtYWlsIjoiam9obmRveUBleGFtcGxlLmNvbSIsInJvbGUiOiJhZG1p
biJ9.38d69f38f91e265797710e5198f65568074e3811
23
JSON Web Tokens (JWTs) are compact and self-contained, making them well-suited for
transmission over various channels, including HTTP requests, cookies, and URL parameters.
The transmission process involves carefully encoding and embedding the JWT within the
chosen communication method.
In web applications, JWTs are commonly transmitted via HTTP requests. The JWT can be
included in various request components:
1. Authorization Header: The JWT can be inserted into the Authorization header using
the Bearer authentication scheme. This approach is preferred for API requests, as it
explicitly indicates the token's purpose.
2. Request Body: The JWT can be included as a JSON object within the request body.
This method is suitable when the token needs to be associated with specific data being
submitted to the server.
3. URL Parameter: The JWT can be encoded and appended to the URL as a query
parameter. This approach is less secure, as the token is exposed in the URL, but it may
be used in specific scenarios.
Cookie Transmission
Cookies can also be used to transmit JWTs, enabling persistent authentication across sessions.
The JWT is encoded and stored in a cookie on the client-side, and the server can access it
during subsequent requests. This method is convenient for maintaining user login sessions.
24
While less secure due to exposure in the URL, JWTs can be transmitted as URL parameters
when embedding them in the request body is not feasible. The JWT is encoded and appended to
the URL as a query parameter.
Regardless of the chosen transmission method, it is crucial to consider security best practices:
1. HTTPS Protocol: Use HTTPS for secure transmission to protect the JWT from
eavesdropping and man-in-the-middle attacks.
3. HTTP Only Flag for Cookies: When using cookies to transmit JWTs, set the HTTP
only flag to prevent JavaScript access to the cookie, reducing the risk of XSS attacks.
5. Secure Storage of Secret Keys: Securely store and manage secret keys or private
keys used for signing and verifying JWTs to prevent unauthorized access or disclosure.
6. Regular Security Audits: Conduct regular security audits to identify and address
potential vulnerabilities in the JWT transmission process.
25
JSON Web Tokens (JWTs) are self-contained and signed, but their authenticity and integrity
must be verified before being accepted and used. The verification process involves several steps
to ensure that the token has not been tampered with and that it originated from the intended
issuer.
The first step involves extracting the header and payload from the JWT. The header contains
information about the token itself, such as the signing algorithm and token type. The payload
contains the claims, which are key-value pairs that convey relevant information about the user
or application.
The header and payload are Base64 encoded, so they need to be decoded before further
processing. Base64 decoding converts the encoded text back into its original form.
The signature is the cryptographic proof of the token's authenticity and integrity. It is generated
using the signing algorithm specified in the header and the appropriate secret key or public key.
The verification process involves:
1. Regenerating the Signature: Apply the signing algorithm to the decoded header and
payload using the appropriate secret key or public key to regenerate the signature.
2. Comparing Signatures: Compare the regenerated signature with the received
signature. If the signatures match, the token is considered authentic and its integrity is
verified.
Once the signature is verified, the claims within the payload should be carefully validated to
ensure their authenticity and relevance. This validation process helps prevent unauthorized
access and protect sensitive information.
Additional Considerations
1. Token Expiration: Check if the token has expired. Expired tokens are no longer valid
and should be rejected.
2. Token Revocation Mechanism: Check if the token has been revoked. Revoked
tokens should be invalidated and not accepted.
3. Audience Validation: If the token specifies an audience, verify that the recipient is
within the intended audience.
4. Issuer Validation: Validate the issuer of the token to ensure it is from a trusted
source.
27
CHAPTER 5
In web applications, JSON Web Tokens (JWTs) are widely used to authenticate users and
maintain their session state across different pages or requests. They offer several advantages for
web applications, including:
Mobile apps also benefit significantly from the use of JSON Web Tokens (JWTs). These tokens
provide a secure and efficient mechanism for user authentication and authorization in mobile
environments:
JWTs in APIs
APIs often employ JSON Web Tokens (JWTs) to protect access to their resources and ensure
that only authorized users can perform specific actions. JWTs provide several benefits for API
security and management:
CHAPTER 6
JSON Web Tokens (JWTs) have emerged as a powerful and versatile tool for securing
information exchange in web applications, mobile apps, and APIs. Their compact and self-
contained nature, coupled with robust security features, makes them well-suited for a wide
range of use cases.
In web applications, JWTs enable seamless user authentication and authorization without
requiring constant re-authentication. They also facilitate efficient session management across
different pages or requests.
In mobile apps, JWTs provide a secure and efficient mechanism for user authentication and
authorization, even in offline environments. They also facilitate seamless integration with third-
party services.
In APIs, JWTs enable fine-grained access control, ensuring that only authorized users can
access specific resources based on their roles and permissions. They also simplify token
management and reduce server load.
Overall, JSON Web Tokens (JWTs) offer a comprehensive solution for securing user
authentication, authorization, and data exchange in modern web-based applications. Their
adoption is likely to continue to grow as developers seek secure and efficient ways to manage
user access and protect sensitive information
31
References
[1] RFC 7519: JSON Web Token (JWT)
[2] https://www.iana.org/assignments/jwt
[3] https://auth0.com/resources/ebooks/jwt-handbook
[4] https://www.telerik.com/blogs/introduction-json-web-tokens-jwt
[5] https://developer.auth0.com/resources/labs/tools/jwt-basics
[6] https://learn.microsoft.com/en-us/entra/identity-platform/access-tokens