JSON Web Token is an open standard token that tells a compact and self-contained way for securely transmitting information between parties as a JSON object, not only for REST services. Currently, it has a draft status as RFC 7519. It can carry a lot of information with robust behavior, but is still simple and even though it has a relatively small size. Like any other token, JWT can be used to transfer the identity of authenticated users between an identity provider and a service provider.
It can also carry all user’s claim, such as authorization data so that service provider does not need to verify user roles and permissions for each request that data is extracted from the token from the database or external systems.
Working of JWT Security
1) Clients logs in by sending their credentials to the identity provider.
2 ) The identity provider verifies the credentials of users, if credentials verify successfully then it retrieves the user data and generates a JWT containing user details and permissions that will be used to access the services. It conjointly sets the expiration of the JWT which could be unlimited.
3) Identity provider encrypts the JWT and sends it to the client as a response to the initial request with credentials.
4) The client always stores the JWT for an unlimited or limited amount of time, depending on the expiration set by the identity provider.
5) The client sends the stored Jason web token in an Authorization header for every request to the service provider.
6) For each request, the service provider takes the JSON web token from the Authorization header and decrypts it and if needed validates the signature, and if everything is working fine then, extracts the user data and permissions based on the data solely, and again without looking up further details in the database or contacting the identity provider, it can deny or accept the client request. The only requirement is to have an agreement between the identity and service providers based on encryption so that service can verify the signature or even decrypt which identity was encrypted.