The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is JWT, so let’s discuss what the acronym stands for and where you can see and hear it used.
What is JWT?
JWT, pronounced as “jot”, isn’t a positive affirmation you write nightly into your super secret diary. No, JWT might be one of the more essential elements of the OAuth 2.0 and OpenID Connect protocols. So, get ready to take some notes as we explain what a JWT is, where you might use it within a security solution, and why it’s a crucial part of any modern security solution.
JSON Web Token (JWT) is an internet standard data format whose payload holds a set of claims. The payload may also have an optional signature and encryption that verifies the validity of its content.
While a JWT is a flexible format that allows for an infinite number of claim permutations, there is a known set of standard claims that facilitate interoperability among issuers and consumers. These tokens are designed with multiple attributes in mind, mainly that they are compact, URL-safe, and user-friendly.
Let’s take a look at an example JWT that you may see when working with authorization in your secured applications.
{
"iss": "example.com",
"sub": "1234567890",
"aud": "example-audience",
"exp": 1716249022,
"iat": 1616249022,
"name": "John Doe",
"email": "johndoe@example.com",
"role": "user"
}
If you’re using Duende IdentityServer with OpenID Connect flows, it automatically creates and signs JWTs for you. For .NET developers who want to experiment with JWTs directly, you’ll want to use the System.IdentityModel.Tokens.Jwt package to create and sign your JWTs.
using System.IdentityModel.Tokens.Jwt;
using Duende.IdentityModel;
using Microsoft.IdentityModel.Tokens;
// Note: You want the key to be at least 256 bits
// and stable
var key = CryptoRandom.CreateRandomKey(256);
var securityKey = new SymmetricSecurityKey(key);
var credentials = new SigningCredentials(securityKey,
SecurityAlgorithms.HmacSha256);
var header = new JwtHeader(credentials);
var payload = new JwtPayload
{
{ "sub", "1234567890" },
{ "name", "John Doe" },
{ "iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
};
var token = new JwtSecurityToken(header, payload);
var tokenHandler = new JwtSecurityTokenHandler();
var jwt = tokenHandler.WriteToken(token);
Console.WriteLine(jwt);
You can read more about securing your applications with JWTs in our documentation regarding client authentication techniques.
There you have it. Next time you’re conferring with colleagues, don’t forget to note your understanding of JWT and how you use it within your secured applications. Who knows, it just might be your claim to fame, or perhaps a footnote in your long and storied security journey.
We hope you found this post enlightening. If there’s other security lingo you’re unsure about, please let us know in the comments, and we’ll be happy to explain. And while you’re here, please take a moment to explore our range of security products and join our community in our public discussions.