- What is OpenID Connect?
- Create OpenID Client Application using Auth0
- A Basic Java Web Application to Understand OpenID Connect using Auth0
- What is JWT? - You Are Here!
- Java Auth0 OpenID Connect JWT Signature Verification
JSON Web Token (JWT) is a compact URL-safe means of representing claims to be transferred between two parties. It has 3 main parts Header, Payload (Body) and the Signature and those are separated using dots as follows.
Header.Payload.Signature
A JSON Web Token looks like this.
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik1SWiBQb3J0YWwiLCJ0eXBlIjoidXNlciJ9.
Gae3h3J7fiurf5Ts09TbiTLs0jPYlGCMQ6Acr_AXxdM
While this looks like gibberish, it is actually a very compact, printable representation of a series of claims, along with a signature to verify its authenticity.
|
Header
|
{
"alg": "HS256",
"typ": "JWT"
}
|
|
Payload
|
{
"sub": "1234567890",
"name": "MRZ Portal",
"type": "user"
}
|
As we can see, the Header and the payload are in JSON format and the claims are stored in the payload section. Hence increment in the requested number of claims will predominantly increase the size of the JWT.
How JWT is generated?
What is ALG?
The alg defined in the header is the algorithm used to create the signature. There are 2 main algorithms used to create the signature.
1. HS256 (HMAC with SHA256)
2. RS256 (RSA signature with SHA-256)
The HS256 Algorithm
Uses SHA-256 algorithm for hashing and the symmetric key is used for encryption. Hence the same symmetric key should be used for decryption during the validation process.
The RS256 Algorithm
Uses SHA-256 algorithm for hashing and the private key is used for encryption. Hence the public key of the server should be used for decryption during the validation process.
For the validation process, the certificate of the server is issued for the client application to extract the public key of the authorization server to decrypt the signature. Refer This.
