Why use JSON Web Token (JWT) in Authentication
Authentication and authorization are the two terms used most often in the security of web applications. Authentication is the process of verifying a user’s identity, i.e. user provided attributes such as name, address, phone number, and email are correct. Authorization is the process of verifying that a user has the requisite permissions to access an application’s resources or perform specific actions. When a user logs in, first authentication is performed, and if the authentication passes then authorization is performed when a user uses the application.
Problem
Authenticating a user requires verification of a user’s identity. The traditional cookies-based authentication method makes use of HTTP cookies to authenticate client requests and store session information on the server. Typically the following procedure is used:
- A client, also called a user agent, sends a login request to the server.
- On successful login, the server stores the session information in memory or in persistent storage and returns a HTTP Response that includes an HTTP cookie (also called a browser cookie or a web cookie) in the Set-Cookie header. A cookie is a string of data with a name-value pair as its only required attribute. The cookie is tied with the session stored on the server and may include additional attributes for the duration a cookie is valid or an expiration date.
- The cookie gets set in the client’s browser.
- For authentication, the client sends the cookie in the cookie header of each subsequent request.
- The server deserializes the cookie to authenticate the user.
- A user stays signed-in as long as cookies are stored in a browser, and are valid. User specific cookies-related settings can be set in a browser.
- By default, most browsers expire a session cookie, which represents a client’s current session, when the client shuts down the browser.
Session cookies-based authentication has several disadvantages:
- The session information has to be stored on the server.
- Cookies need to be sent with every request, which could reduce performance especially for mobile apps.
- Cookies are for a specific server, domain, or path. Cross-Origin Resource Sharing (CORS) HTTP headers must be used to allow a browser to access origins (domain, scheme, port) other than a server’s own.
- It is vulnerable to Cross-Site Request Forgery (CSRF) attacks.
Solution
JSON Web Token (JWT) is an open, JSON-based standard (rfc7519) for securely transmitting information between parties. JWT is secure, as it can be digitally signed using a secret (with one of the supported algorithms) or a public-private key using RSA. In addition to secure information exchange, JWT could be used for authentication. The following procedure is typically used for JWT-based authentication:
- A user logs in successfully using their credentials (username and password).
- The server creates a JWT and signs it with a secret. The JWT, or the signature, is not stored on the server at all. The signature is created from the encoded header, and the encoded payload of the JWT along with a secret and an algorithm.
- The JWT token is sent back to the user. The user must store the JWT securely. JWT is typically not stored in the browser, which would involve the same CSRF issues as cookies do.
- User includes the JWT token in the Authorization header when accessing a secure resource.
- Server verifies JWT signature. As the signature is based on the information in the JWT itself, the JWT is self-contained and no JWT related information is stored on the server.
- If JWT is valid, the server allows the user access to the requested resource.
JWT-based authentication has several benefits as compared to the cookies-based authentication including:
- Stateless authentication - No user session information is stored on the server.
- Not limited to specific domains, paths, or servers. No Cross-Origin Resource Sharing (CORS) issues.
- JSON-based JWT is more compact as compared to XML-based SAML (Security Assertion Markup Language) information exchange, which is typically used with cookies.
- JSON is more commonly used on the Internet for information exchange than XML is.
- JWT can also include user permissions for specific resources using authentication and authorization platforms such as Auth0. Therefore JWT can be used for authorization in addition to authentication.
JWT is the new authentication mechanism most commonly used in web and mobile apps.