JSON Web Token and its Structure
Explore the structure of JSON Web Tokens used in authentication and authorization within single sign-on systems. Learn how JWT consists of header, payload, and signature parts, how encoding differs from encryption, and how secure signatures are created and verified using RS256. Understand the role of JWT claims in authorization and how token integrity is maintained in ASP.NET Core applications.
We'll cover the following...
In an SSO system that relies on OIDC and OAuth, authentication and authorization are done via a JSON Web Token (JWT)—a token that is issued by the IdP upon successful authentication. But how exactly does it work? We will cover that in this lesson.
Raw JWT structure
A JWT consists of three encoded strings separated by dots. The diagram below shows what a typical JWT looks like. Three distinct parts of JWT are denoted in different colors.
Although this looks like a random string of characters, each part contains data presented in JSON format. This is why it's called JSON Web Token. However, this data is encoded by using Base64 encoding. This encoding provides a reliable and consistent method for encoding binary data in a way that ensures compatibility, integrity, and ease of use across different systems and protocols.
The important thing to note is that encoding is not the same as encryption. While encryption is a process of scrambling the data so that only a recipient with a special key can decode it, encoding is a process of transforming the data via a well-known formula. Encryption is performed for security, while encoding is performed for other purposes, such as standardizing delivery format or making the data fit in smaller bytes. Therefore, encoded data can be easily decoded.
The three parts a JWT consists of are as follows:
Header: It provides metadata of the token.
Payload: It provides the information used for ...