HTTP | JWT

JWT (JSON Web Token) typically consists of a header + payload + signature.

 

Header

 

Contains the metadata information about JWT

 

• alg: is the algorithm used to sign the token

• typ: is the type of the token, always JWT

{
  "alg": "HS256",
  "typ": "JWT"
}

You can find more headers but the previous will be always there.

 

Payload

 

The payload contains the claims of the JWT. The standard headers are the following:

 

• iss: is the issuer, the entity who generates and issue the JWT.

• sub: is the subject, the entity identified by this token.

• aud: is the audience, the target audience for this JWT.

• exp: is the expiry, is the timestamp in UNIX format after the token should not be accepted.

• iat: is issued at, specifies the date when the token has been issued.

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

 

Signature

 

The signature is created using the Encoded Header, Encoded Payload, a Secret and a Cryptographic Algorithm.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5M
DIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Algorithms supported

The following algorithms are supported by both Client and Server JWT components.

 

• HS256
• HS384
• HS512
• RS256
• RS384
• RS512
• ES256
• ES384
• ES512

 

OpenSSL libraries are required to sign and verify the JWT.

Components

 

• TsgcHTTP_JWT_Client: JWT client which allows to encode and sign JWT and send as an Authorization Header in HTTP and WebSocket protocols.

• TsgcHTTP_JWT_Server: JWT server which allows to decode and validate JWT received as an Authorization Header in HTTP and WebSocket protocols.

 

 

* JWT Components require at least Indy version 10.6.0.5169 or sgcWebSockets Enterprise Edition.