# JWT Tokens Explained

**Learning Objectives:**
- Understand JWT structure (header, payload, signature)
- Learn access vs refresh token pattern
- Implement JWT generation and verification
- Understand common JWT attacks

In [None]:
# Install python-jose
!pip install python-jose -q

## Part 1: JWT Structure

**JWT (JSON Web Token) Format:**
```
HEADER.PAYLOAD.SIGNATURE
```

**Three Parts:**
- **Header**: Algorithm and token type
- **Payload (Claims)**: User data, expiration, permissions
- **Signature**: Cryptographic proof of authenticity

**Encoding:** Base64URL (not standard Base64!)

In [None]:
# Decode JWT structure
import base64
import json

# Example JWT (shortened)
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NDU3Nzg5IiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"

# Split into parts
header_b64, payload_b64, signature_b64 = token.split('.')

print("=== JWT Parts ===")
print(f"Header (Base64): {header_b64}")
print(f"Payload (Base64): {payload_b64}")
print(f"Signature (Base64): {signature_b64[:50]}...")

# Decode parts
header = json.loads(base64.urlsafe_b64decode(header_b64))
payload = json.loads(base64.urlsafe_b64decode(payload_b64))

print("\n=== Decoded Parts ===")
print("\nHeader:")
print(json.dumps(header, indent=2))
print("\nPayload (Claims):")
print(json.dumps(payload, indent=2))
print("\nSignature:")
print(f"  (Cannot decode - it's cryptographic)")
print(f"  Length: {len(signature_b64)} characters")

## Part 2: Access vs Refresh Tokens

**The Token Rotation Flow:**

1. **Login** → Get access + refresh tokens
2. **Use Access Token** → API calls (short-lived, 15-30 min)
3. **Access Expires** → Use refresh token to get new pair
4. **Refresh Used** → Old tokens invalidated, new pair generated

**Why This Pattern?**
- If access token stolen: Only valid for 15-30 minutes
- If refresh token stolen: Can be revoked immediately
- Forces periodic re-authentication: Better security

**Token Lifetimes:**
- Access: 15 minutes (minimize damage window)
- Refresh: 7 days (balance UX with security)

In [None]:
# Use our JWT provider
import sys
sys.path.append('..')

from src.adapters.security.jwt_provider import JWTProvider, get_jwt_provider

# Initialize provider
provider = JWTProvider(secret_key='test-secret-change-in-production')

# Step 1: Create access token
access_token = provider.create_access_token(
    user_id='user_123',
    tenant_id='tenant_456',
    additional_claims={'role': 'user', 'permissions': ['read', 'write']}
)

print('=== Access Token ===')
print(f'Token: {access_token[:50]}...')
print(f'Length: {len(access_token)} characters')
print(f'Parts: {len(access_token.split("."))} (header.payload.signature)')

In [None]:
# Step 2: Create refresh token
refresh_token = provider.create_refresh_token(user_id='user_123')

print('\n=== Refresh Token ===')
print(f'Token: {refresh_token[:50]}...')
print(f'Length: {len(refresh_token)} characters')
print(f'Parts: {len(refresh_token.split("."))} (header.payload.signature)')

In [None]:
# Step 3: Verify access token
from jose import jwt

try:
    payload = provider.verify_access_token(access_token)
    print('\n=== Access Token Verified ===')
    print(f"User ID: {payload['sub']}")
    print(f"Tenant ID: {payload['tenant_id']}")
    print(f"Type: {payload['type']}")
    print(f"JWT ID: {payload['jti']}")
    print(f"Expires: {payload['exp']}")
    print(f"Issued: {payload['iat']}")
    
    # Verify custom claims
    decoded = jwt.decode(access_token, 'test-secret-change-in-production', algorithms=['HS256'])
    print(f"Role: {decoded.get('role')}")
    print(f"Permissions: {decoded.get('permissions')}")
    
except Exception as e:
    print(f'Verification failed: {e}')

In [None]:
# Step 4: Test wrong token type
from jose import JWTError

try:
    # Try to verify refresh token as access token
    provider.verify_access_token(refresh_token)
    print('ERROR: Refresh token should not be accepted as access token!')
except JWTError as e:
    print(f'✓ Correctly rejected: {e}')

In [None]:
# Step 5: Token rotation
print('\n=== Token Rotation ===')

# Use refresh token to get new pair
new_access, new_refresh = provider.rotate_refresh_token(refresh_token)

print('New tokens generated:')
print(f'  New Access: {new_access[:50]}...')
print(f'  New Refresh: {new_refresh[:50]}...')
print(f'\nOld refresh token invalidated!')

In [None]:
# Step 6: Verify old refresh token is now invalid
try:
    provider.verify_refresh_token(refresh_token)
    print('ERROR: Old refresh token should be invalid after rotation!')
except JWTError:
    print('✓ Old token correctly rejected!')

## Part 3: JWT Attacks

**Common Attacks:**

### 1. None Algorithm Attack
- Attacker removes signature (third part)
- Sets `alg: none` in header
- Bypasses signature verification

**Mitigation:**
- Always verify algorithm matches expected (HS256 or RS256)
- Reject `alg: none` immediately

### 2. Replay Attack
- Attacker captures valid token
- Reuses it within validity period
- Accesses protected resources

**Mitigation:**
- Short token expiration (15 min)
- Unique JTI (JWT ID) for each token
- Track used tokens (blacklist)
- Include `nbf` (not before) claim

### 3. Algorithm Confusion
- Attacker claims token signed with RS256 but actually HS256
- Or vice versa
- Confuses verification logic

**Mitigation:**
- Always verify algorithm type
- Reject unexpected algorithms
- Use algorithm allowlist

In [None]:
# Simulate None Algorithm Attack
from jose import jwt
import base64
import json

# Malicious payload (admin role)
payload = {
    'sub': 'user_123',
    'role': 'admin',  # Escalated privilege!
    'alg': 'none'  # Invalid algorithm
}

# Create malicious header (alg: none)
header = {'alg': 'none', 'typ': 'JWT'}

# Encode header and payload
header_encoded = base64.urlsafe_b64encode(json.dumps(header).encode()).decode()
payload_encoded = base64.urlsafe_b64encode(json.dumps(payload).encode()).decode()

# Create malicious token (no signature!)
malicious_token = f"{header_encoded}.{payload_encoded}."

print('=== None Algorithm Attack ===')
print(f'Malicious token: {malicious_token}')

# Try to verify (should fail!)
try:
    decoded = jwt.decode(malicious_token, 'test-secret', algorithms=['HS256', 'RS256'])
    print('ERROR: Attack succeeded! Algorithm not validated properly.')
except Exception as e:
    print(f'✓ Attack blocked: {e}')
    print('Mitigation: Always validate algorithm!')

## Part 4: Token Storage Best Practices

**Where to Store Tokens:**

| Location | XSS Risk | CSRF Risk | Recommendation |
|----------|-----------|-----------|---------------|
| localStorage | ❌ High | ❌ Low | Avoid for sensitive tokens |
| sessionStorage | ❌ High | ❌ Low | Avoid for sensitive tokens |
| Cookie (HttpOnly) | ✅ None | ❌ High | Best for refresh tokens |
| Memory | ✅ None | ✅ None | Best for access tokens |

**Best Practice:**
- Access tokens: In memory (cleared on page refresh)
- Refresh tokens: In HttpOnly, Secure, SameSite=Strict cookies
- Never store tokens in URL parameters
- Always use HTTPS

In [None]:
# Exercise: Compare token lifetimes
import time
from datetime import datetime, timedelta

print('=== Token Lifetime Comparison ===')

# Access token (15 minutes)
access_exp = timedelta(minutes=15)
print(f'\nAccess token lifetime: {access_exp}')
print(f'  In minutes: {access_exp.total_seconds() / 60}')
print(f'  In hours: {access_exp.total_seconds() / 3600}')
print(f'  In days: {access_exp.total_seconds() / (3600 * 24)}')
print(f'\nIf stolen: Attacker has {access_exp.total_seconds()} seconds of access')

# Refresh token (7 days)
refresh_exp = timedelta(days=7)
print(f'\nRefresh token lifetime: {refresh_exp}')
print(f'  In minutes: {refresh_exp.total_seconds() / 60}')
print(f'  In hours: {refresh_exp.total_seconds() / 3600}')
print(f'  In days: {refresh_exp.total_seconds() / (3600 * 24)}')
print(f'\nIf stolen: Attacker has {refresh_exp.total_seconds()} seconds of access')
print(f'\nDamage ratio (Refresh/Access): {refresh_exp.total_seconds() / access_exp.total_seconds():.1f}x')

print('\nConclusion:')
print('- Short access tokens = better security')
print('- Longer refresh tokens = better UX')
print('- Balance: 15 min access, 7 days refresh')

In [None]:
# Exercise: Decode and inspect a real JWT
from jose import jwt

# Create a token with our provider
token = provider.create_access_token(
    user_id='test_user',
    tenant_id='test_tenant',
    additional_claims={'admin': False, 'trial': True}
)

# Decode to inspect all claims
decoded = jwt.decode(token, 'test-secret-change-in-production', algorithms=['HS256'])

print('=== Complete JWT Claims ===')
for key, value in decoded.items():
    print(f'{key}: {value}')

# Check standard claims
standard_claims = ['sub', 'iat', 'exp', 'nbf', 'jti', 'iss', 'aud']
custom_claims = [k for k in decoded.keys() if k not in standard_claims]

print(f'\nStandard claims: {len([k for k in decoded.keys() if k in standard_claims])}')
print(f'Custom claims: {len(custom_claims)}')
print(f'Custom claim keys: {custom_claims}')

## Part 5: Production Checklist

**Before deploying JWT authentication:**

- [ ] Use RS256 in production (asymmetric keys)
- [ ] Store secret/private key in HSM or secret manager
- [ ] Implement token blacklisting or whitelisting
- [ ] Set short access token lifetime (15-30 min)
- [ ] Set moderate refresh token lifetime (7-30 days)
- [ ] Validate algorithm (reject 'none' and unexpected algorithms)
- [ ] Include JTI (JWT ID) for revocation support
- [ ] Use HTTPS for all token transmission
- [ ] Store refresh tokens in HttpOnly cookies
- [ ] Implement token rotation
- [ ] Monitor token usage and expiration patterns

**Security Monitoring:**
- Track failed token verifications
- Alert on unusual token rotation patterns
- Monitor token lifetime distributions
- Track JWT ID (JTI) collisions

## Summary

**Key Takeaways:**
1. JWT has three parts: header, payload, signature
2. Use access/refresh token pattern for better security
3. Access tokens should be short-lived (15-30 min)
4. Refresh tokens should be longer-lived (7-30 days)
5. Always validate algorithm (prevent 'none' attack)
6. Use unique JTI for token revocation
7. Store refresh tokens in HttpOnly cookies
8. Use RS256 in production (asymmetric keys)

**Next Steps:**
- User Registration Flow (Lesson 3)
- Login and Session Management (Lesson 4)
- API Key Management (Lesson 5)
- Rate Limiting (Lesson 6)

**Further Reading:**
- RFC 7519 (JWT Specification)
- OWASP JWT Cheat Sheet
- JWT.io (interactive debugger)