JWT Token and its usage in Authorization

In this post we will talk about what JWT is and how it is used to secure web application. We will discuss about how it works and why it is so popular these days for web authorization and security. So Lets begin.

JWT stands for Json Web Token. If you refer the JWT official site jwt.io, it is described as below:
JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. Simply said its a standard way for two parties to communicate securely.

Authorization :

This is the most common use case of JWT token currently. But first lets understand what authorization is? There are two processes to secure web application.
Authentication and Authorization : User identity is checked under authentication process which checks whether he can access the application or not. Once the user is logged in, his authorities are checked whether he is permitted to access the resources, which is done as part of authorization.

Authorization Strategies:

Session Id
JWT Token

Before JWT got introduced, session Id was the most popular way of doing authorization and still is being used in several application.
Both Session Token and JWT Token works on HTTP protocol which is stateless which means each request made is totally unaware of any action taken previously. So the request should contain all the information including the user information to access a resource in server side.

Session based Authorization: In this case when a user logs in, server creates a session information and stores it in its memory. It generates a session id during session creation and stores it in the cookie of the browser. So every subsequent request to the resources have this session id attached to it in the header so that server can read this token and match it with session data stored in the server memory.

Drawback of Session Id And why JWT introduced?

The problem of using session based authorization are below is that

  • It is not suitable for distributed application as it stores the session data in the server side. So if there are various instance of your application, then session data needs to be available at every instance and every new entry needs to be updated at each instance which is difficult to implement.
  • It is difficult to scale because if there are lot of traffic in the application so its difficult to store that many users data at server side and application performance can go down.

JWT Authorization : Token based Authorization solves the above issues because it perform well in distributed application and can easily scale. Lets discuss how it works.

JWT actually contains the user information in encrypted form with a secret key that is stored at the server side. So instead of storing the user information on the server side and matching it with some session id, now the user state is stored with the client itself in the form of JWT token. During the authentication or log in, user info is encrypted into JWT token with a secret at server side and sent to client. Then the client send it as a header with every subsequent request.

The problem of security is handled through signing the token which is done by secret key. Every JWT token sent from client is signed which is validated by the server using the secret key it has.

Drawback Of JWT

  • Large Payload – As we store the complete user information in the token, the payload size becomes larger than the usual session id. So every request contains extra payload overhead as opposed to a small Session ID.
  • Disabling JWT is not possible – There is no concrete way to disable a JWT if some hacker gets hold of our JWT.

Leave a Comment

Your email address will not be published. Required fields are marked *