JSON Web Tokens (JWT)
- Last Updated: August 19, 2021
- 1 minute read
- OpenEdge
- Version 12.2
- Documentation
A JSON Web Token (JWT), while not part of the OAuth2 standard, is commonly used as the physical structure for Self-contained access token. A JWT holds a resource owner’s identity, client identity, issuing and expiration timestamps, and scopes used by a resource server’s authorization process. Other authorization server-defined claims (also known as JSON fields) may be added by a vendor's implementation. A JWT is a Base64-encoded value that contains three sub-structures that describe the data-integrity signature algorithm, the user’s identity claims, and the data-integrity signature. Each sub-structure is delimited by a period ('.') character.
| Structure Name | Description |
|---|---|
| Header | Contains information about the JWT payload's and data integrity signature structures |
| Payload | Contains multiple JWT claims (JSON fields) that describe an authenticated user's id, issuing and expiration timestamps, scope, client ID, and other values |
| Signature | Contains a binary digital signature of the header and payload structures, that is produced using the signature algorithm type and size contained in the header |
A JWT's payload has a small number of common user identity claim fields, but for the most part is wide open to customization of what it contains. Common identity claim fields include:
| JWT Field Name | Description | Required in JWT token | Required in OAuth2 token |
|---|---|---|---|
| iss | The URI of the authorization server that issued the JWT token. | Yes | Yes |
| sub | The user-id. For OAuth2, it is the resource owner’s ID. | Yes | Yes |
| aud | May be a string value holding a single recipient identifier (also known as resource server ID) that limits the token’s access to a single resource server. May also be an array of strings with each array element holding a single recipient identifier, which then allows the token to access multiple resource servers. | Yes | Yes |
| client_id | This identifies the unique client ID registered by a client application with an authorization server, and is used by a resource server to determine whether the issued JWT can be used to access resource owner data. | No | Yes |
| jti | A unique identifier for this token that may be used to detect replay attacks and establish client login sessions. | optional | optional |
| iat | The JWT creation date. | Yes | Yes |
| exp | The JWT expiration date, after which it may not be used by a resource server. | optional | optional |
| nbf | The JWT validation date, before which it may not be used by a resource server. | optional | optional |
| scope | OAuth2 field name that carries a space delimited list of scopes that serve to tell a resource server what data and operations the client is authorized to access. | Yes | Yes |
| token_type | OAuth2 field name. Indicates the HTTP authorization header scheme that this token was issued in (typically the bearer value). | optional | optional |
| <other> | Any other authorization server-provided claims. | optional | optional |
A JWT's header may specify one of a set of data-integrity algorithm types based on the JWS standard, which includes HMAC (secret-key) and RSA (public-private key) types.
| Header Field Name | Description | Required |
|---|---|---|
| alg | The JWS algorithm name used for generating and verifying the JWT's signature field value (see the table of JWS signature names). | Yes |
| typ | The type of token data format. If not specified, it is often defaulted to JWT by most vendor implementations. | No |
| kid | The alias key-ID name that identifies a keystore entry that contains the encryption key value used by the resource server to validate the JWT's signature field value. | No |
WS signature names:
| JWS Algorithm Name | Cryptographic Algorithms | Key Size |
|---|---|---|
| HS256 | HMAC w. SHA | 256 |
| HS384 | HMAC w. SHA | 384 |
| HS512 | HMAC w. SHA | 512 |
| RS256 | RSA signature w. SHA | 256 |
| RS384 | RSA signature w. SHA | 384 |
| RS512 | RSA signature w. SHA | 512 |