Let's Build

A Developer's Guide to JWT: Understanding and Implementing Secure Authentication

Sarvesh Bajaj's photo
Sarvesh Bajaj
·

6 min read

A Developer's Guide to JWT: Understanding and Implementing Secure Authentication

Table of contents

In the evolving landscape of web development, authentication and authorization are critical to building secure systems. JSON Web Tokens (JWTs) have emerged as a powerful mechanism for ensuring stateless, scalable, and secure user authentication. In this blog, we’ll explore JWT concepts, workflows, and practical implementation with Python.

What is JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used to transmit claims securely between two parties. It consists of three parts:

  1. Header: Contains metadata, such as the type of token and the signing algorithm.

  2. Payload: Contains claims, or the data you want to transmit (e.g., username, role, exp).

  3. Signature: A cryptographic signature generated by combining the header, payload, and a secret key.

Header     : { "alg": "HS256", "typ": "JWT" }
Payload    : { 
  "sub": "1234567890",  // Subject (user identifier)
  "name": "John Doe",
  "roles": ["admin", "user"],
  "iat": 1516239022     // Issued At timestamp
}
Signature  : HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

Resulting Token after encoding :

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

JWT Workflow

Here’s a typical flow for using JWT in a system:

  1. User Authentication: The client sends credentials to the server (e.g., username/password).

  2. Token Issuance: The server validates the credentials and generates a JWT containing user claims.

  3. Token Usage: The client includes the JWT in the Authorization header (Bearer <token>) of API requests.

  4. Token Verification: The server decodes and validates the token before processing the request.

Why Use JWT?

Let's delve into the key differences between session-based and JWT authentication to understand why JWT is often the preferred choice for modern applications.

AspectSession-based AuthenticationJWT Authentication
StateStateful (server-side storage)Stateless (no server-side storage)
ScalabilityHarder to scale (requires session sharing)Easier to scale for distributed systems
RevocationSimple (invalidate session ID)Harder (requires blacklist or reissue mechanism)
StorageSession ID in cookiesToken in local storage, session storage, or cookies
Cross-Domain SupportLimitedExcellent (used widely for APIs)

How Attackers Obtain JWT Tokens

  1. Man-in-the-Middle (MitM): Intercepting token transmission over unsecured channels.

  2. XSS Attacks: Injecting malicious scripts to steal tokens from client-side storage.

  3. Token Replay: Reusing stolen tokens to access APIs.

Mitigation:

  1. Always use HTTPS.

  2. Store tokens securely (e.g., HTTP-only cookies).

  3. Implement token expiration and rotation.

Signed vs. Encrypted JWT

  1. Signed JWT (e.g., with HS256 or RS256):

    • Ensures integrity: The signature proves that the token hasn’t been tampered with.

    • Does not hide the payload: Anyone with the token can decode it (base64 decoding) to see the claims.

  2. Encrypted JWT:

    • Protects the payload by encrypting the entire token so that its content is hidden.

    • Uses additional algorithms like RSA-OAEP for encryption.

Why JWT is signed and not encrypted:

JWT is designed to share claims between parties (like client and server). Signing ensures integrity without requiring encryption unless sensitive data is included.

Common Use Cases

Here are some common scenarios where JWTs are used:

  1. Single Sign-On (SSO): JWTs are widely used in SSO systems to allow users to authenticate once and gain access to multiple applications or services. The token is issued by an identity provider and can be used across different domains, making it ideal for SSO implementations.

  2. API Authentication: JWTs are commonly used to secure APIs by including them in the Authorization header of HTTP requests. This allows the server to verify the token and authenticate the user without maintaining session state, making it suitable for stateless RESTful APIs.

  3. Mobile App Authentication: In mobile applications, JWTs are used to authenticate users and maintain their session state. The token can be stored securely on the device and sent with each request to the server, enabling seamless user experiences without the need for repeated logins.

  4. Microservices Architecture: JWTs are used in microservices to authenticate and authorize requests between services. Each service can verify the token independently, facilitating secure communication in distributed systems.

  5. Web Applications: JWTs are used in web applications to manage user sessions. They can be stored in cookies or local storage and sent with each request to authenticate users and authorize access to resources.

These use cases highlight the versatility and effectiveness of JWTs in various authentication and authorization scenarios, particularly in distributed and stateless environments.

Let's Build

Directory Structure

jwt-demo/
├── venv/          # Virtual environment
├── app.py         # Main Flask server
├── config.py      # Configuration for secret keys
└── auth.py        # Middleware logic for token validation

1. Configuration

File: config.py

SECRET_KEY = "your_secret_key_here"  # Use a strong, unique secret key

2. Token Middleware

File: auth.py

from flask import request, jsonify
import jwt
from functools import wraps
from config import SECRET_KEY

# Middleware to validate JWT token
def token_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        token = None

        # Get the token from the Authorization header
        if 'Authorization' in request.headers:
            auth_header = request.headers['Authorization']
            if auth_header.startswith('Bearer '):
                token = auth_header.split(' ')[1]

        # No token found
        if not token:
            return jsonify({'message': 'Token is missing!'}), 401

        try:
            # Decode the token
            decoded = jwt.decode(token, SECRET_KEY, algorithms=['HS256'])
            request.user = decoded  # Attach decoded data to the request
        except jwt.ExpiredSignatureError:
            return jsonify({'message': 'Token has expired!'}), 401
        except jwt.InvalidTokenError:
            return jsonify({'message': 'Invalid token!'}), 401

        return f(*args, **kwargs)
    return decorated

3. Flask Application

File: app.py

from flask import Flask, jsonify, request
from auth import token_required
import jwt
import datetime
from config import SECRET_KEY

app = Flask(__name__)

# Public endpoint for generating a JWT
@app.route('/generate-token', methods=['POST'])
def generate_token():
    data = request.json
    if not data or 'username' not in data:
        return jsonify({'message': 'Invalid request!'}), 400

    payload = {
        'username': data['username'],  # Example user data
        'role': data.get('role', 'user'),  # Optional
        'exp': datetime.datetime.utcnow() + datetime.timedelta(minutes=15)  # Token expiry
    }
    token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
    return jsonify({'token': token})

# Protected endpoint using the token_required decorator
@app.route('/secure-data', methods=['GET'])
@token_required
def secure_data():
    # Access user data attached by the middleware
    user = getattr(request, 'user', {})
    return jsonify({'message': 'This is secured data', 'user': user})

if __name__ == '__main__':
    app.run(debug=True)

4. Workflow

  • Step 1 : Generate a token

      curl -X POST http://127.0.0.1:5000/generate-token \
  -H "Content-Type: application/json" \
  -d '{"username": "john_doe", "role": "admin"}'

    Response

      {
    "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
  }

  • Step 2: Access Secure Endpoint

      curl -X GET http://127.0.0.1:5000/secure-data \
  -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

    Response

      {
    "message": "This is secured data",
    "user": {
      "username": "john_doe",
      "role": "admin",
      "exp": 1640938000
    }
  }

    Step 3: Missing or Invalid Token

      curl -X GET http://127.0.0.1:5000/secure-data

    Response

      {
    "message": "Token is missing!"
  }

How the Code Works

  1. Token Generation:

    • Send a POST request to /generate-token with user details.

    • The server responds with a signed JWT.

  2. Token Validation:

    • Include the token in the Authorization header when accessing /secure-data.

    • The middleware (token_required) validates the token before processing the request.

  3. Decoded Token Data:

    • Decoded token payload is accessible in the endpoint logic via request.user.

Securing Your JWT Implementation

  1. Use HTTPS to encrypt data in transit.

  2. Implement short token expiration times (e.g., 15 minutes).

  3. Use refresh tokens for long-lived sessions.

  4. Validate token signatures using a strong, secret key.

  5. Monitor and blacklist compromised tokens.

Conclusion

JWT is a powerful tool for stateless authentication in modern applications. By following best practices and implementing robust middleware, developers can create scalable and secure systems while maintaining simplicity and performance.

Start experimenting with JWTs using the provided code and deepen your understanding of how they work in real-world scenarios!

JWTauthenticationSecurityauthorization