The security space can be a strange and confusing place for newcomers. In this series of posts, we aim to shed light on the security lingo you may encounter when reading the latest security specifications and scanning your favorite Duende documentation. By the end of this post, you’ll have added one more security phrase to your growing lexicon of security jargon with which to impress your fellow security professionals.
Today’s security lingo is JWT, so let’s discuss what the acronym stands for and where you can see and hear it used.
What is JWT?
JWT, pronounced as “jot”, isn’t a positive affirmation you write nightly into your super secret diary. No, JWT might be one of the more essential elements of the OAuth 2.0 and OpenID Connect protocols. So, get ready to take some notes as we explain what a JWT is, where you might use it within a security solution, and why it’s a crucial part of any modern security solution.
JSON Web Token (JWT) is an internet standard data format whose payload holds a set of claims. The payload may also have an optional signature and encryption that verifies the validity of its content.
While a JWT is a flexible format that allows for an infinite number of claim permutations, there is a known set of standard claims that facilitate interoperability among issuers and consumers. These tokens are designed with multiple attributes in mind, mainly that they are compact, URL-safe, and user-friendly.
Let’s take a look at an example JWT that you may see when working with authorization in your secured applications.
{
"iss": "example.com",
"sub": "1234567890",
"aud": "example-audience",
"exp": 1716249022,
"iat": 1616249022,
"name": "John Doe",
"email": "johndoe@example.com",
"role": "user"
}
If you’re using Duende IdentityServer with OpenID Connect flows, it automatically creates and signs JWTs for you. For .NET developers who want to experiment with JWTs directly, you’ll want to use the System.IdentityModel.Tokens.Jwt package to create and sign your JWTs.
using System.IdentityModel.Tokens.Jwt;
using Duende.IdentityModel;
using Microsoft.IdentityModel.Tokens;
// Note: You want the key to be at least 256 bits
// and stable
var key = CryptoRandom.CreateRandomKey(256);
var securityKey = new SymmetricSecurityKey(key);
var credentials = new SigningCredentials(securityKey,
SecurityAlgorithms.HmacSha256);
var header = new JwtHeader(credentials);
var payload = new JwtPayload
{
{ "sub", "1234567890" },
{ "name", "John Doe" },
{ "iat", DateTimeOffset.UtcNow.ToUnixTimeSeconds() }
};
var token = new JwtSecurityToken(header, payload);
var tokenHandler = new JwtSecurityTokenHandler();
var jwt = tokenHandler.WriteToken(token);
Console.WriteLine(jwt);
You can read more about securing your applications with JWTs in our documentation regarding client authentication techniques.
There you have it. Next time you’re conferring with colleagues, don’t forget to note your understanding of JWT and how you use it within your secured applications. Who knows, it just might be your claim to fame, or perhaps a footnote in your long and storied security journey.
Thanks for stopping by!
We hope this post helped you on your identity and security journey. If you need a hand with implementation, our docs are always open. For everything else, come hang out with the team and other developers on GitHub.
If you want to get early access to new features and products while collaborating with experts in security and identity standards, join us in our Duende Product Insiders program. And if you prefer your tech content in video form, our YouTube channel is the place to be. Don't forget to like and subscribe!
Questions? Comments? Just want to say hi? Leave a comment below and let's start a conversation.