Overview
JSON Web Token (JWT) is a security token based on an open standard. A security token is a data structure containing claims and is digitally signed.
In a typical scenario, the client would request a token, the issuer then issues a token, and a resource (API) consumes the token. In this flow, the resource (API) will trust the issuer.
There are several types of security token like the Security Assertion Markup Language token (SAML) based on XML and the Simple Web Token (SWT), but JSON Web Token (JWT) is the defacto standard these days.
Structure
JSON Web Tokens are structured in three parts:
- Header with metadata, algorithms & keys used
- Payload as claims
- Signature
The parts are base64 encoded and separated by a point (.)
Therefore, a JWT typically looks like this: xxxx.yyyy.zzzz
Claims
The payload will contain the claims.
- Issuer (
iss) as issuer identifies the identity provider - Audience (
aud) is the audience claim meant to refer to the recipient that the JWT is intended for (resource server) - IssuedAt (
iat) epoc time (1. Jan 1970) - ClientId (
client_id) in OAuth refers to the client application that will be requesting resources - Subject (
sub) is a unique ID for the identity provider which identifies the user and will never change
The JWT is used in OAuth and OpenID Connect as
- Identity Token
- Access Token
- Refresh Token
- Reference Token