Since everything in computer science is getting more advanced, application security is becoming a major topic to think on. One of the frequently used technology in our APIs is tokens. Tokens are used for a self-contained singular chunk of information. This kind of methodology is being used especially in REST APIs. Using tokens make the application stateless and this situation becomes with several advantages such as extensibility, multi platform usage, distributed app usage and security. In this article, we will get into details of JSON Web Tokens (JWTs) because when we talk about building our own APIs, there’s always going to be the topic of how to secure our own API.
What is JWT ?
JWTs are a URL-safe, compact, self-contained string with meaningful information that is usually digitally signed or encrypted. They’ve become a standard for token implementations across the world wide web. Being URL-Safe in tokens mean that all the information is prepared encrypted so, anyone who has no signature can’t decrypt the token information.
Content Of JWT Token
A simple JWT string contain three seperate parts; header, payload, signature.
Header containts tho parts: the type and the algorithm. Standart used for the type is JWT and algorithm is HMAC SHA256 (HSHA256)
Payload carries the whole data we want to store in. Also in the payload the expiration time is stored.
Signature contains three parts too; the header, the payload and the secret. When we want to create the signature, we encode the header with base64URLEncode and also we encode the payload with base64URLEncode too. And we merge these two strings together with the header and payload order. After the concatanation, this string is sent to HSHA256 encryptor with the secret key. The result of this equals to the signature.
It seems very long process, “no!” it is not. Because today’s world, computer processing and the resources for processing this kind of staff is very easy.
Example JWT Usage In JAVA
To Create A Token;
String JWTString = Jwts.builder().setIssuer("GOSOFT").setSubject("GOSOFT_HEADER")