JSON Web Token FAQs and debug
What is JSON Web Token (JWT)?
A compact, URL-safe means of representing claims to be transferred between two parties.
How does JWT look like?
In its compact form, JSON Web Tokens consist of three parts separated by dots (
.), which are:
Therefore, a JWT typically looks like the following.
Is JWT for authentication?
No. Since JWT process start only after successful authentication, JWT is only for authorization.
What are advantages of JWT?
- No backend store — As server encodes all the data about the grant into the token itself, No data stored at server except secret
- No Session to Manage (stateless) — JWT is a self-contained token (and gets stored at client side,) server does not need to keeps track of it
- Supports scaling — As no session tracked, single point of failure (SPOF) of ‘shared session cache’ / session affinity avoided in multiple server instance
- More compact — As JSON is less verbose than XML so when encoded it’s more compact as compaired to simple web tokens (SWTs) and Security Assertion Markup Language (SAML) tokens
- More secure -Even though it can be read by anybody but it can not be tampered. JWT supports varius algoriths that supports public/private key pair, symmetrically signed, so on
- Portable — A single token can be used with multiple backends. ideal in micro service environment with 2/3 legged token
- Decoupled/Decentralized — The token can be generated anywhere. Authorization can happen on the resource server, or easily separated into its own server
What are disadvantages of JWT?
- Can’t easily revoke an access token, so they normally are granted with short expiry and the revocation is handled at the refresh token
- Unless In secure communication, a token can be stolen and misused. Https communication recommended