logo
Contact us

JWT authorization in Python, Part 2: Theory

30 Mar 2016
JWT authorization in Python, Part 2: Theory
Plenty of services exist in modern information technology world. The concept of sharing commonly needed information among those services is both powerful and dangerous at the same time. That's why information privacy the user stores on the internet requires protection and careful permissions management.

A whole industry of information security arose to handle this problem and a lot of concepts, principles and tools were developed to split the problem into smaller ones and solve them separately. One of such tools is JSON Web Token standard, one of the approaches to token-based authentication.

Token-based authentication

Token based authentication is a mechanism, along with session-based authentication and simple login/password scheme. The core concept of token-based approach is simple: user enters his login and password, then receives token which he can use to get access to allowed resources for an allowed amount of time.

Json Web Token

JWT is a standard. It is written down in RFC 7519 and relies on two other standards: RFC 7515 JSON Web Encryption (JWE) and RFC 7516 JSON Web Signature (JWS).

The standard contains specification of reserved keywords, creation and validation process description, implementation requirements, examples of tokens and other information. To get the most reliable information, please, use the standard specification.

JWT usage overview

As it was mentioned above, process of using JWT is rather simple even without additional authentication framework. Here is the short overview of steps required:

  1. Desired information is encoded using specified algorithm and secret phrase. Special information (defined in Registered Claim Names section of standard) may be added, like expiration time. Some of this information, such as exp, is handled automatically by specific implementations. The output is a token of the following type aaaaa.bbbbb.ccccccc.
  2. The generated token is passed to a client. There is a few choices of where to store tokens in the client. For web-application it can be a local storage or cookies. There is the discussion on the internet on this topic, such as JWT authorization in Python, Part 1: Practice.
  3. On requests, token is attached to headers or passed in cookies, depending on chosen storage. Server app is responsible for decoding and validation of data encoded, as well as for resolving permissions.

The key concept of JWT is that data stores in token itself. It allows to decentralize storage and avoid explicit storing data on server side.

4bc88639-c1ce-4d11-8646-0c4c090211d4

JWT structure

Token itself consists of three parts: header, payload and signature:

  • header contains encoded type of the token and algorithm
  • payload contains encoded data and additional metadata
  • signature is encoded header + encoded data + secret phrase, encoded with algorithm
table2

JWT vs Cookie-based Sessions

JWT brings some benefits compared to cookie-based authentication:

  1. Easy cross-domain requests.
  2. Server-side scalability. Since JWT token carries all information inside, token and secret phrase is all that is required to authenticate a user.
  3. Weak coupling. As JWT is stateless and supported by standard, it is possible to use it with different services, possibly written with several languages.
  4. Easily usable in mobile development. No cookie emulation is required for mobile clients.
  5. No CSRF. No automatic cookie is passed by browser - no vulnerability.
  6. Standard-based. JWT is well supported by all major languages.

Conclusion

JWT is a great alternative to cookie-based authentication approach. It brings some benefits over cookie-based auth approach, but it also has its drawbacks.