How does JWT look like?

1.	How does JWT look like?
Answer» There are 3 parts in every JWT claim - Header, Claim and Signature. These 3 parts are separated by a dot. The ENTIRE JWT is encoded in Base64 format. JWT = {header}.{payload}.{signature} A typical JWT is shown here for reference. Encoded JSON Web Token Entire JWT is encoded in Base64 format to make it compatible with HTTP protocol. Encoded JWT looks like the FOLLOWING: Decoded JSON Web Token Header Header contains algorithm information e.g. HS256 and type e.g. JWT { "ALG": "HS256", "typ": "JWT" } Claim claim part has an expiry, ISSUER, user_id, scope, roles, client_id etc. It is encoded as a JSON object. You can add custom attributes to the claim. This is the information that you want to exchange with the third party. { "uid": "2ce35360-ef8e-4f69-a8d7-b5d1aec78759", "user_name": "user@mail.com", "scope": ["read"], "exp": 1520017228, "authorities": ["ROLE_USER","ROLE_ADMIN"], "jti": "5b42ca29-8b61-4a3a-8502-53c21e85a117", "client_id": "acme-app" } Signature Signature is typically a one way hash of (header + payload), is calculated using HMAC SHA256 algorithm. The secret used for signing the claim should be kept private. Pubic/private key can also be used to encrypt the claim instead of using symmetric cryptography. HMACSHA256(base64(header) + "." + base64(payload), "secret")

Answer»

There are 3 parts in every JWT claim - Header, Claim and Signature. These 3 parts are separated by a dot. The ENTIRE JWT is encoded in Base64 format.

JWT = {header}.{payload}.{signature}

A typical JWT is shown here for reference.

Encoded JSON Web Token

Entire JWT is encoded in Base64 format to make it compatible with HTTP protocol. Encoded JWT looks like the FOLLOWING:

Decoded JSON Web Token

Header

Header contains algorithm information e.g. HS256 and type e.g. JWT

{ "ALG": "HS256", "typ": "JWT" }

Claim

claim part has an expiry, ISSUER, user_id, scope, roles, client_id etc. It is encoded as a JSON object. You can add custom attributes to the claim. This is the information that you want to exchange with the third party.

{ "uid": "2ce35360-ef8e-4f69-a8d7-b5d1aec78759", "user_name": "user@mail.com", "scope": ["read"], "exp": 1520017228, "authorities": ["ROLE_USER","ROLE_ADMIN"], "jti": "5b42ca29-8b61-4a3a-8502-53c21e85a117", "client_id": "acme-app" }

Signature

Signature is typically a one way hash of (header + payload), is calculated using HMAC SHA256 algorithm. The secret used for signing the claim should be kept private. Pubic/private key can also be used to encrypt the claim instead of using symmetric cryptography.

HMACSHA256(base64(header) + "." + base64(payload), "secret")

How does JWT look like?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment