JWT

From MgmtWiki
Jump to: navigation, search

Full Title

JSON Web Token (JWT) -- pronounced "JOOT" as though it were Welsh.

Context

In OAuth 2.0 and other specs from the Open ID Foundation, there was a need for a small packed of identity information that could be coded and include in a HTTP header.

Problems

  • The existing specs at the time the JWT was created were XML and SAML which were very wording and not amenable to coding in an HTTP header.

Solutions

  • The RFC definition of the JSON Web Token (JWT). The abstract from the spec
    JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.
  • Justin Richer has some suggestions.[1]

References

  1. Justin Richer, Moving On from OAuth 2: A Proposal. https://medium.com/@justinsecurity/moving-on-from-oauth-2-629a00133ade

Other reference material

  1. JWT: The Complete Guide to JSON Web Tokens from the folks that brought you angular.
  2. RFC 6749 The OAuth 2.0 Authorization Framework specification
  3. RFC 8252 OAuth 2.0 for Native Apps Specification