In this section we will talk about the authentication mechanisms and how it could be abused.
Now what is the deference between authentication and authorization.
What is JSON Web Tokens?
JWTs is a way of formatting data (or claims) for transfer between multiple parties. A JWT can either utilize JSON Web Signature (JWS) or JSON Web Encryption (JWE) for protection of the data contained within the JWT, though in practice, JWS is much more commonly used in web applications. Thus, we will solely discuss JWTs that utilize JWS in this module. Two additional standards comprise JWTs. These are JSON Web Key (JWK) and JSON Web Algorithm (JWA). While JWK defines a JSON data structure for cryptographic keys, JWA defines cryptographic algorithms for JWTs.
Now let’s see how the JWT is made.
A JWT is made up of three parts, which are separated by dots:
JWT HeaderJWT PayloadJWT SignatureEach part is a base64-encoded JSON object:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJIVEItQWNhZGVteSIsInVzZXIiOiJhZG1pbiIsImlzQWRtaW4iOnRydWV9.Chnhj-ATkcOfjtn8GCHYvpNE-9dmlhKTCUwl6pxTZEA
The first part of the JSON Web token is named Header
It contains metadata about the token — basically small pieces of information that describe how the token should be processed or verified.
The header is a JSON object, and after being created, it is Base64URL-encoded to form the first section of the JWT.
Typical fields inside the header include: