This chapter is about a cryptography encapsulation called JSON web token or short JWT. The general idea is to hide all the cryptographic stuff and provide a simple to use library for standardized and secure data exchange between servers or server and clients.
As the "token" in the name suggests, the JWT is often used for login systems.
Following the introduction on jwt.io a "JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA."
The simple answer is "yes". The "JWT" is the generic term for two systems called JSON web signature ("JWS") and JSON web encryption ("JWE"). They get accompanied by a JSON Web Key ("JWK"), JSON Web Algorithms ("JWA"), JSON Web Key Thumbprint and an Unencoded Payload Option.
All JSON web xxx's are based on docs provided by the Internet Engineering Task Force (IETF):
- JWT JSON web token: JSON Web Token (RFC 7519)
- JWS JSON Web Signature: JWS JSON Web Signature (RFC 7515)
- JWE JSON Web Encryption: JWE JSON Web Encryption (RFC 7516)
- JWK JSON Web Key: JWK JSON Web Key (RFC 7517)
- JWA JSON Web Algorithms: JWA JSON Web Algorithms (RFC 7518)
- JSON Web Key Thumbprint: JSON Web Key Thumbprint (RFC 7638)
- Unencoded Payload Option: Unencoded Payload Option (RFC7797)
Again a simple answer: 'no', you do not need to use external libraries but sometimes they make the life much easier. Seeing the basics, a JWS is not much more than a simple RSA string signature and I have proven this by an implementation for a browser based JWT.
I'm starting with the signature based JWS JSON web signatures and later I'm programming the JWE JSON web encryption examples.
Kindly note that there is not just one way of using but a lot (and different) ones and I'm focusing on a sample token. Although I'm using libraries some codes do have a lot of "handcraft" to get them to run as expected, so you should take the codes just as a basis for your own programming.
To start with your JWT experience I recommend that you read the article structure of a JSON web token JWT as I'm explaining some basics.
Here are my articles regarding JSON web token (JWT) themes:
| Solution | Description | Java | PHP | C# | NodeJs | Browser | Python | Go |
|---|---|---|---|---|---|---|---|---|
| structure of a JSON web token (JWT) | explains the general structure of a JWT | |||||||
| JSON web token JWA algorithms | standardized algorithms for JWT | |||||||
| JSON Web JWK keys | standardized key format for JWT | |||||||
| JSON web signature (JWS) using RS256 algorithm | sign a JWT with a RSA key, PKCS1.5 padding and SHA-256 hashing | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| JSON web signature (JWS) using PS256 algorithm | sign a JWT with a RSA private key, RSASSA-PSS + MGF1 with SHA-256 and SHA-256 hashing | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
| JSON web signature (JWS) using RSxxx & PSxxx algorithms (verify only) | verify a JWT with a RSA public key, PKCS1.5 & SSA-PSS padding and SHA-256/384/512 hashing | ❌ | ❌ | ❌ | ❌ | 🔜 | ❌ | ❌ |
| JSON web encryption (JWE) using RSA-OAEP-256 with A256GCM algorithm | encrypt a JWT with a RSA key RSA-OAEP-256 and AES-256-GCM algorithm | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ | ✅ |
Below I'm providing the names and download links of all libraries I have used to run the examples. Please note that I did not take a deep care of the license terms of the libraries - please check them before using them in any (commercial or private) context.
Last update: Apr. 28th 2021
Back to the main page: readme.md