🟨 JavaScript Q91 / 121

Explain JWT authentication.

AI-Powered Answer ✓ Answered

JSON Web Tokens (JWTs) provide a compact, URL-safe means of representing claims to be transferred between two parties. In authentication, JWTs are used to verify the identity of a user and securely transmit information between a client and a server, especially in stateless architectures like REST APIs and single-page applications built with JavaScript.

What is a JSON Web Token (JWT)?

A JWT is a self-contained, digitally signed token that contains information about an entity. It consists of three parts separated by dots: Header, Payload, and Signature. Each part is Base64Url encoded. The Header typically describes the token type and the signing algorithm. The Payload contains the claims (information about the user or other data). The Signature is used to verify that the sender of the JWT is who it says it is and to ensure the message wasn't changed along the way.

How JWT Authentication Works

  • User Login: The client sends user credentials (e.g., username and password) to the authentication server.
  • Token Generation: Upon successful authentication, the server creates a JWT. This token contains claims about the user (e.g., user ID, roles) and is signed with a secret key.
  • Token Emission: The server sends the generated JWT back to the client.
  • Client Storage: The client stores the JWT, typically in local storage, session storage, or an HTTP-only cookie.
  • Subsequent Requests: For every subsequent request that requires authentication, the client includes the JWT, usually in the Authorization header as a Bearer token.
  • Token Verification: The server receives the request and verifies the JWT's signature using the same secret key. It also checks the token's expiration and other claims.
  • Resource Access: If the JWT is valid, the server processes the request and returns the requested data. If invalid, access is denied.

Anatomy of a JWT

A JWT is a string of three parts separated by dots (.): Header.Payload.Signature. Each part is Base64Url encoded.

Header: Contains metadata about the token, such as the type of token (JWT) and the signing algorithm (e.g., HMAC SHA256 or RSA).

Payload (Claims): Contains the actual data (claims) about the entity and additional data. Claims can be registered (e.g., iss for issuer, exp for expiration), public, or private. *Never put sensitive information here*.

Signature: Created by taking the encoded Header, the encoded Payload, a secret, and the algorithm specified in the header, then signing it. This ensures the token hasn't been tampered with.

text 
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Advantages of JWT Authentication

  • Statelessness: The server doesn't need to store session information, making it highly scalable, especially for distributed systems and microservices.
  • Security: JWTs are digitally signed, ensuring their authenticity and integrity. This prevents tampering once issued.
  • Portability: The token can be easily passed between different domains and services, making it suitable for single sign-on (SSO) systems.
  • Cross-Origin Resource Sharing (CORS) Friendly: Since JWTs are sent in headers, they don't face the same cross-domain issues as cookies.
  • Compact: Due to their size, JWTs can be sent through URL, POST parameter, or inside an HTTP header.

Disadvantages and Considerations

  • Stateless Revocation: Revoking a JWT before its natural expiration is challenging since the server doesn't store state. This often requires implementing blacklists or short expiration times with refresh tokens.
  • Token Size: While compact, JWTs can grow in size if too many claims are added, potentially increasing network overhead.
  • Client-Side Storage Risks: Storing JWTs in local storage is vulnerable to Cross-Site Scripting (XSS) attacks. Storing in HTTP-only cookies can mitigate XSS but might expose to CSRF.
  • No Encryption: By default, JWTs are only encoded and signed, not encrypted. Sensitive data should never be placed in the payload.
  • Expiration Management: Proper handling of token expiration and renewal (using refresh tokens) is crucial for a smooth user experience and security.

Best Practices for JavaScript Applications

  • Always Use HTTPS: Protects the token during transit from client to server.
  • Short-Lived Access Tokens: Use short expiration times (e.g., 5-15 minutes) for access tokens to minimize the impact of token theft.
  • Refresh Tokens: Implement refresh tokens (longer-lived, stored more securely, e.g., HTTP-only cookie) to obtain new access tokens without re-authenticating.
  • Secure Storage: For access tokens, consider storing them in HTTP-only, secure cookies to mitigate XSS risks. If using local storage, be extremely diligent about XSS prevention.
  • Payload Minimalism: Only include essential, non-sensitive data in the JWT payload.
  • Server-Side Validation: Always validate the token's signature, expiration, issuer, and audience on the server-side for every protected request.
  • Don't Roll Your Own Crypto: Use established JWT libraries and frameworks for implementation.
← All JavaScript questions