DEV Community

What the heck is JWT anyway?

Siwalik Mukherjee on March 04, 2018

In this article we will learn the fundamentals of a JWT token is and how we can benefit from it for authenticating communications between two parti...
Collapse
 
nempet profile image
Nemanja Petrovic • Edited

Can you explain me:

  1. When do you create JWT token, when the user logs in?
  2. When you create it where do you store it on the client side - in cookies?
  3. Should we ever reset JWT token for the user?
Collapse
 
siwalikm profile image
Siwalik Mukherjee • Edited

Hi @nemanja_pet!

  1. You can use JWT token for various types of authentications, even for logged in users. For example when a user logs in to your website with their credentials, the api response might return a JWT token as a part of the response. After logging in, on subsequent calls to the API, the client (browser) can send the JWT token to the server and on authenticating the token, the API can return results to make sure it's a legit request.

  2. You can definitely store a JWT token in the client in cookies, local / session storage based on your need. Just make sure to not generate the JWT token in the client as the secret will be visible on inspecting source.

  3. Ideally you should! The payload part can contain a claim called "exp" whose value should be a timestamp when the token expires. That way the same token cannot be highjacked by someone else and used to make API calls impersonating the actual user.

Hope that answers your questions.

Collapse
 
perrydbucs profile image
Perry Donham

You might find my article on using JWTs for client authentication useful.

Collapse
 
siwalikm profile image
Siwalik Mukherjee

Great article @perrydbucs πŸ™Œ

Collapse
 
tcarrio profile image
Tom

JWTs are simply an authentication mechanism, and can be used as part of your method of authentication in various ways. My company uses JWTs for one of our web services (REST API), with a keystore holding the public certificates of trusted clients which can then request a temporary access token. Since we're using RS256 instead of HMAC256, we have the capability to not only private communication between the client and server but also guarantee that this person is who they say they are, since the key to decrypt their JWS has to be in our public keystore already. To conclude:

  1. For us, the JWT isn't created when the user logs on, but in order to log on. We use JWTs as an assertion of user authentication, generating a temporary access token where we set expiration time and the system they get access to, and return that JWT as the response.

  2. A REST API won't use cookies, the client that made the request will have to handle maintaining it themselves, but that's one way of doing it. It just needs to be stored on the client side. But make sure to keep it safe, it's effectively a plaintext password if it doesn't contain any context-specific data within the body (which in turn is verified by the JWS).

  3. How we manage this has been described, but to spell it out: Yes. A JWT token has an expiration property for a reason. If it is being used as an access token, an indefinite JWT can be as dangerous as a password. As an example, we have a protocol for client and server. Clients assertion token should have a lifetime of up to 5 minutes, and the server will return an access token with a lifetime of an hour. Any subsequent requests to the access service and you will have to request a new one by creating a new JWT to be used as the assertion token.

Let me know if you have any other questions about this! I tried (hah) to keep it short but it got fairly lengthy anyway.

Collapse
 
hjfitz profile image
Harry

Really concise explanation, thanks!

Collapse
 
siwalikm profile image
Siwalik Mukherjee

Thank you!

Collapse
 
ben profile image
Ben Halpern

I agree, thanks for a great contribution.

Thread Thread
 
siwalikm profile image
Siwalik Mukherjee

From the man himself 😍! Thanks Ben.

Thread Thread
 
ben profile image
Ben Halpern

Keep up the great work!