2

I'm trying to understand JWT tokens usage but I'm getting lost on the theorycal part.

I have some questions about JWT Tokens structure, in order to make this question a sort of documentation for new users, providing it with a logic order, I will write them in bold below as long as I list a sample JWT content.

I will also summary them in the end of the question

A "classic" JWT token is composed as follows:

[HEADER].[PAYLOAD].[SIGNATURE]

In detail:

HEADER

{
  "alg": "HS256",
  "typ": "JWT"
}

Which contains the following fields:

  • ALG = Encryption algorythm (using the default HS256 could be fine)
  • TYP = simply tells that it's a JWT

PAYLOAD

{
  "sub": "1234567890",
  "name": "MrJohnDoe",
  "iat": 1516239022
}
  • SUB = Is an OPTIONAL parameter. It's the subject of the token. (credits: see @cassiomolin answer)

According to: Where to store user id in jwt, it looks like you can use it to store your user ID in it.

  • NAME = The username
  • IAT = Token creation date and time, expressed in unix timestamp. (Thanks to @jps and @JeanRostan in the comments below)

SIGNATURE

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  
secret

)
  • SECRET = Unique key known just by the server. To not confuse with the current user password, which should never be used for this! (thanks to @jps in the comments below)
Tranbi
  • 11,407
  • 6
  • 16
  • 33
Deadpool
  • 1,031
  • 3
  • 19
  • 35
  • 1
    iat is a unix timestamp, it expresses the number of seconds elapsed since 1970-01-01 00:00:00 UTC (https://en.wikipedia.org/wiki/Unix_time) so it's a date indicating when the token won't be valid anymore. The wiki page on JWT tokens will answer your questions most likely: https://en.wikipedia.org/wiki/JSON_Web_Token#Standard_fields – Jean Rostan Apr 16 '18 at 15:34
  • 2
    read [here](https://stackoverflow.com/questions/42058353/how-jwt-token-expiresin-works-in-feathers/42063121#42063121) about the timestamps format. IAT is issued at, the timestamp when the token was created. The expiration is in the exp claim. – jps Apr 16 '18 at 15:36
  • @JeanRostan Understood! Thanks! What about "SUB" and "secret"? Can you please explain me what are they exaclty? – Deadpool Apr 16 '18 at 15:36
  • 1
    secret is a key used for the signature. And you should not use the users password. The secret should only be known on server side. – jps Apr 16 '18 at 15:38
  • @jps That makes me a little bit less confused and a little bit more at the same time... I mean, thanks to your comment now I've understood but... What if i use both? Does a claim overcome to the other? – Deadpool Apr 16 '18 at 15:39
  • @jps All right, thanks! The last question is about the sub...Can you please explain me what does it contains exaclty? – Deadpool Apr 16 '18 at 15:41
  • 1
    @Deadpool you mean iat and exp? These are simply two different claims, one for the time of creation, the other for the end of it's life – jps Apr 16 '18 at 15:42
  • @jps Understood (yes it was about IAT and EXP, but now this step is clear) – Deadpool Apr 16 '18 at 15:44
  • 1
    subject is to whom the token was issued. – jps Apr 16 '18 at 15:48
  • @jps Do you mean for example the api controller who has generated it or the user who is logged in? I find this part a little complicated... Can you please explain me with a simple example? I think it will make me understand this completely – Deadpool Apr 16 '18 at 15:51

1 Answers1

4

What is sub? Can you please provide me an example of what it could be in a common usage?

The sub claim identifies the principal that is the subject of the JWT. In other other, it can hold the username of the user who you issued the token to.

From the RFC 7519:

4.1.2. "sub" (Subject) Claim

The sub (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. The subject value MUST either be scoped to be locally unique in the context of the issuer or be globally unique. The processing of this claim is generally application specific. The sub value is a case-sensitive string containing a StringOrURI value. Use of this claim is OPTIONAL.

Community
  • 1
  • 1
cassiomolin
  • 124,154
  • 35
  • 280
  • 359
  • 1
    Thanks! So it's not needed, good! I was searching in a very deep way in the meantime and I found a rumor that said that "You can use sub to store your unique user ID". Is it a correct usage, in your opinion? – Deadpool Apr 16 '18 at 16:15
  • 1
    @Deadpool Yes, it's suitable for a unique user identifier. – cassiomolin Apr 16 '18 at 16:18