JWT

From MgmtWiki
Revision as of 12:25, 10 November 2019 by Tom (talk | contribs) (References)

Jump to: navigation, search

Full Title

JSON Web Token (JWT) -- pronounced "JOOT" as though it were Welsh.

Context

In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wordy and not amenable to coding in an HTTP header.
  • Even now some JWT are too large for inclusion in a HTTP header.

Solutions

  • The RFC definition of the JSON Web Token (JWT). The abstract from the spec
    JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  2. JWT.IO] allows you to decode, verify and generate JWT.
  3. RFC 6749 The OAuth 2.0 Authorization Framework specification
  4. RFC 8252 OAuth 2.0 for Native Apps Specification