What are JWTs? A Beginner's Guide to Secure JSON Web Token Authentication

TL;DR - Key Takeaways

• JSON Web Tokens (JWTs): A compact, URL-safe means of representing claims to be transferred between two parties.
• Structure: JWTs consist of three parts: Header, Payload, and Signature, encoded as a Base64URL string.
• Use Cases: Commonly used for authentication and information exchange in modern web applications.
• Security Concerns: JWTs must be properly secured with strong algorithms and kept secret to prevent unauthorized access.
• Implementation: Libraries in various programming languages make it easy to implement JWTs in your applications.
• Common Pitfalls: Misconfigurations such as weak secret keys or failure to validate tokens can lead to security breaches.
• Defensive Measures: Use HTTPS, validate tokens properly, and keep secret keys secure to protect JWTs.

What is a JSON Web Token (JWT)?

Imagine you have a magic ticket that not only lets you into a concert but also tells the gatekeeper what seat you are in and what snacks you are allowed to buy. A JSON Web Token (JWT) works similarly in the digital world. It's a compact, self-contained way of transmitting information between parties as a JSON object. This information can be verified and trusted because it's digitally signed.

A JWT is like a passport for the internet. It contains all necessary information, is signed to ensure its integrity, and can be verified by any party that possesses the secret key used to sign it.

JWT Structure

A typical JWT is made up of three parts:

1. Header: Contains metadata about the token, such as the type of token and the signing algorithm used.
2. Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
3. Signature: Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

Each part is encoded as a Base64URL string and concatenated with dots (.) to form the complete token.

Why Does This Matter?

JWTs play a crucial role in modern web security, particularly in authentication and authorization processes. As applications have moved to more decentralized, client-server architectures, the need for a secure, portable, and scalable authentication method has become paramount.

Real-World Impact

• Breach Statistics: Misconfigured JWTs can lead to unauthorized access. For instance, in a 2017 incident, a misconfigured JWT led to unauthorized API access on a major platform.
• Affected Parties: Developers, security teams, and end-users can all be affected by insecure JWT implementations.
• CVE Example: CVE-2016-10517 highlights how JWT libraries can be vulnerable if not properly implemented, resulting in flawed signature verification.

JWTs are OWASP API Security Top 10, specifically under API2:2019 Broken User Authentication.

Types / Categories

JWTs can be classified based on their usage and structure. Here are the two main types:

Type	Description
Public JWTs	Can be read by any party, as they are not encrypted. Only the signature is protected to verify authenticity.
Private JWTs	Encrypted to ensure that only intended parties can read the payload. Often used in confidential communications.

How It Works — Step by Step

Understanding the inner workings of JWTs involves breaking down their flow from creation to validation:

graph TD;
  A[Client] -->|Requests Login| B[Server];
  B -->|Creates JWT| C[JWT];
  C --> D[Client];
  D -->|Sends JWT with request| E[Server];
  E -->|Verifies JWT| F[Allow/Reject Access];

Step-by-Step Flow

1. Client Requests Login: The client sends a login request to the server with credentials.
2. Server Creates JWT: Upon successful authentication, the server creates a JWT with user information in the payload.
3. JWT Sent to Client: The JWT is sent back to the client and stored, typically in local storage or a cookie.
4. Client Sends JWT with Requests: For subsequent requests, the client sends the JWT in the HTTP header.
5. Server Verifies JWT: The server verifies the JWT signature and checks the claims (e.g., expiration).
6. Access Granted or Denied: The server processes the request if the JWT is valid; otherwise, it denies access.

Proof-of-Concept Code

Here's a simple JWT creation and verification example using Python and the pyjwt library:

import jwt
import datetime

# Secret key for signing
SECRET_KEY = 'my_secret_key'

# Create JWT
def create_jwt(data):
    return jwt.encode({'data': data, 'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)}, SECRET_KEY, algorithm='HS256')

# Verify JWT
def verify_jwt(token):
    try:
        decoded = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
        return decoded['data']
    except jwt.ExpiredSignatureError:
        return 'Token expired'
    except jwt.InvalidTokenError:
        return 'Invalid token'

# Example usage
jwt_token = create_jwt({'user_id': 123})
print(verify_jwt(jwt_token))

This code creates and verifies a JWT using the HS256 algorithm.

Hands-On Lab / Demo

Let's walk through creating and verifying a JWT using a test environment. We'll use the DVWA (Damn Vulnerable Web Application), a popular tool for practicing web security.

Setting Up DVWA

1. Install DVWA: Clone the DVWA repository from GitHub and follow the installation instructions.
2. Access the JWT Section: Navigate to the JWT section in DVWA.
3. Experiment: Modify JWTs and observe how DVWA responds to different token configurations.

Tools for JWT Testing

• Postman: Use Postman to send HTTP requests with JWTs in the Authorization header.
• jwt.io: This tool allows you to decode, verify, and generate JWTs online for testing.

Common Misconceptions

• JWTs Are Encrypted: Many believe JWTs are inherently encrypted. They are encoded, not encrypted, meaning anyone with the token can read its contents unless additional encryption is applied.
• JWTs Are Infallible: Like any security tool, JWTs can be misconfigured or misused, leading to vulnerabilities.
• JWTs Never Expire: JWTs should have an expiration claim to prevent indefinite validity.

How to Defend Against It

1. Use Strong Secret Keys: Ensure secret keys are complex and stored securely.
2. Implement Expiration: Always include the exp claim to limit token validity.
3. Use HTTPS: Transmit JWTs over secure channels to prevent interception.
4. Validate Tokens: Always validate JWTs on the server side to ensure integrity.
5. Limit JWT Scope: Only include necessary claims to minimize exposure.

Example of Secure Configuration in Python

# Secure JWT creation with expiration
def create_secure_jwt(data):
    return jwt.encode(
        {'data': data, 'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=30)},
        SECRET_KEY, algorithm='HS256'
    )

The above function creates a JWT with a 30-minute expiration time, enhancing security.

Further Learning Resources

• OWASP JWT Cheat Sheet
• PortSwigger Web Security Academy
• JWT.io - Learn JWT
• Auth0 - Introduction to JSON Web Tokens
• Hack The Box: Practice JWT vulnerabilities in CTF challenges.

Conclusion

JSON Web Tokens are a powerful tool in the web security toolkit, offering a robust mechanism for transmitting claims between parties. While they provide simplicity and security, it's crucial to implement and manage them properly to avoid common pitfalls. By understanding the structure, function, and security measures associated with JWTs, developers and security professionals can leverage them effectively in their applications. Continue to explore and practice with resources like OWASP, JWT.io, and Hack The Box to deepen your understanding and expertise.