Wednesday, 20 May 2020

JWT Token Authorization

We can allow user to access application using multiple security configurations.  Basic authentication is a simple and commonly used security configuration.  Wherein users will be authenticated using user name password.

Next authorization method which is used to access applications is JWT token. Jason Web Token are encoded as a JSON object and that are digitally signed using JWS - Jason Web Signature.  These token can also be encrypted using JWE - Jason Web Encryption.

As I mentioned, these are encoded , signed and/or encrypted tokens. Basic format of JWT token is as follows.

    • Header
    • Payload
    • Signature


  "alg": "RS256",
  "typ": "JWT",
   "x5t": "ZZAMNA+cVwqRM7J4vn3KIoqdk2w"

alg -  Algorithm used to sign or encrypt JWT.
typ: Contetnt
x5t:  base64 encoded public certificate fingerprint . Use following command to get the fingerprint or thumbprint.
            openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]


     "iss": "",
     "sub": "auth/some-hash-here",
     "exp": 153452683

"iss": "",
"prn": "vijayakv",
"iat": 1518071154,
"exp": 1518081154

prn/userId:  Application User which has required access.
exp: Token Expiry time
iat: Issued At
nbf: not before

There are two ways to configure JWT .

  1.  Client generated JWT tokens.  Client is responsible for the security. 
  2. Identity provider generated JWT token.  IDCS/OKTA etc.

Following steps will highlight how the Identity provider JWT token will work. 
  •  User will call Identity provider REST API to get the token using User Name and Password. 
  • Provider will generate the token and send it. 
  • User will use the token to call the Service API. 

Following Steps will highlight how the client generated JWT token will work. 
  • Client will generate the SSL certificate and provide the public key to identity provider. 
  • Identity provider will configure the certificate and Issuer - ex: 
  • Client will generate the JWT token in the above mentioned format. 
  • Client will encode the header and Payload part. 
  • Client will encode the public certificate 
  • Client will sign the JWT token using private key -- SSL private key. 
HMACSHA256( base64UrlEncode(header) + "." +  base64UrlEncode(payload),  secret)

After generating the token , client will call the application API using signed JWT token.

Identity provider will decode and verify signature using configured public key/certificate.  If it matches the configured key and issuer then it authorize the user to access the application.

JWT using Python Example :

>>> pip install pyjwt
>>> pip install cryptography
>>> import jwt
>>> private_key = open('secret-key').read()
>>> token = jwt.encode({'user_id': 123}, private_key, algorithm='RS256').decode('utf-8')
>>> token


The generation of a signed JWT requires the use of a private (asymmetric algorithm)  or secret key (symmetric algorithm).  You will use Public key to verify the JWT which is signed using Private Key.

The cert is just a way to bind a name to a public key. A certificate is a digital document that says "Entity A is the owner of publickey xyz", and that digital document is signed by a signing party. Usually you trust the signing party.

Depending up on the signing algorithm , your server will decode (It wont require any keys) and VERIFY the keys sent in the token.

Server will extract the public key from the certificate and validate with the private key that was used to sign the JWT token

No comments:

Post a Comment