Cyber security is sharing information in a secure way e.g. using JWT authorization (JSON Web Token) to enable secure user login and secure access to user personal information

JWT authorization: How does it work for web applications?

Everyone is concerned about their own safety and the safety of their loved ones. It’s natural that parents take care of children and spouses care for each other. Even if you have a pocket-sized supercomputer and the Internet at your fingertips, you cannot forget about your own safety putting aside Internet security issues.

 

Web applications are one of examples of where you need to be extremely vigilant. In this post, I am going to explain how JWT authorization works in web apps.

 

Clarification of terms

Before we start, however, we first need to clarify some terms used in the post.

 

Access Token

An access token is a special key created as a result of a correct user identification. It contains encoded data that will be used after decoding to identify the user. In this way you can avoid making redundant API requests.

 

Web application

A web application is a computer program that runs on a server and communicates with end-user devices (computer, tablet, smartphone) via computer networks (the Internet).

 

Authorization

Authorization is the function of specifying access rights/privileges to resources.

 

JWT

JWT (JSON Web Token) is a standard used to share information in a secure way.

 

Refresh token

Refresh token is a special kind of token used to renew and obtain new access tokens when the current ones expire. Each refresh token should only be used once until it becomes invalid.

 

Token

A token is a string of characters that can be decoded.

 

What is a web app authorization?

Authorization is a process of controlling access to resources. The user that has requested access to a certain resource, must, first of all, confirm his identity in the process of identification and authentication (e.g. by logging in with a login and password).

 

After logging in, authorization takes place to confirm whether a particular user has the right to access a specific resource. If the process is also successful, the requested data is sent to the user.

 

Authorization use cases

  • The operating system checks access rights of the logged user to a file,
  • The user signed in to his online banking account authorizes money transfer with one-time passwords,
  • Based on the client’s IP address, the firewall authenticates and authorizes access to the server port.

 

How does JWT (JSON Web Token)  work?

JWT is a mechanism ensuring that:

  • the content has not been altered along the way once JWT has been sent,
  • the sender of a JSON Web Token is its owner.

All because of the signature that is created to validate the message.

 

What does a JWT look like?

A JWT is a Base64Url-encoded text format that consists of three parts separated by dots:

  • Header
  • Payload
  • Signature

Therefore, for the following data: {“name”: “John Doe”}, a JWT might look like: 

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiSm9obiBEb2UifQ.DjwRE2jZhren2Wt37t5hlVru6Myq4AhpGLiiefF69u8

 

Tokens lifetime

Each token has its validity period (expiration time). Access tokens should be valid for a short period of time e.g. 15 minutes. During this time, the user identity should not be contested by the application.

 

Refresh token should be valid longer e.g. for 3 days. As long as the refresh token is not expired, the user will not be prompted to log in again. Tokens’ lifetime depends on the purpose of the application and is determined individually by a developer.

 

As a result of the short validity of the access token is the need to refresh it more frequently during active use of the application. In contrast, the long validity period of the access token comes with risk of user impersonation for a long time in case of identity fraud.

 

JWT authorization for web applications

Using JWT for authorization is a three-stage process consisting of:

 

Step 1: Identification

Identification, the first step in JWT authorization, is about the user authentication. Users who are not authenticated cannot access any resources.

 

Step 2: Generating a JWT

In the next process, a JWT is generated from the provided data. When the identification is completed sucessfully, a set of authorization tokens (access and refresh token) is returned to the user’s application and placed in the browser’s cache (local storage, session storage or cookies).

 

Step 3:  Putting access token in the header

From now on, each subsequent request will include an access token in the request header. When the server receives any request for resources, it also receives the access token that is decoded. The server will process the claim and send the data to the user provided that the token is correct and valid and the user is included in a group that is given permission to obtain data from particular resources.

 

Step 4: Refreshing

If the validity of the access token has expired, the user will be notified and asked to send a request for a refresh token in order to retry the original query. If the refresh token is correct and valid, a new pair of additional access tokens will be provided and cached in the browser, allowing to send the query again. If the refresh token has expired or reused, the user must be forced to log back in the application.

 

JWT security

JWT is not fully immune to attacks. The biggest threat facing JWTs is the risk of tokens being stolen. When access token and refresh token are stolen, it will be possible to impersonate their owner.

 

In case of using JWT without a refresh token, the problem will be resolved as soon as the access token expires. When using a refresh token, however, solutions of problems with the user impersonation should depend on the way the refresh token is implemented and stored.

Read more: Cloud security in AWS: an expert guide

 

What are the pros and cons of using JWT?

The cons of JWT:

  • All the information contained within the token is compromised
  • It could not be revoked on demand

 

The pros of JWT:

  • It allows to reduce unnecessary database requests,
  • It is stateless,
  • It enables quick actions.

 

Do all drawbacks speak against using JSON Web Tokens for authorization? Do the advantages speak unanimously for JWT as the only right way for authorization? You have to make the decision yourself.

 

Summary

In this post I described one of many ways of JWT implementation. Depending on the project, JWT may be used without a refresh token or for purposes other than user authentication.

 

If it is necessary to authorize a web application’s user, JWT seems to be a good choice as it enables an effective authorization. When combined with a fast broadband connection and efficient computers, JWT makes the use of web applications more convenient.

You don't have permission to register