Code Reading - JWT

Published Thursday, April 26, 2018

A code reading by @spencer1248

JSON Web Tokens

Website: jwt.io (maintained by private company AuthO)

JWT Basics

Base64 endcoding

JWTs use base64 encoding.

Why?

• Normalizes data into set of known characters
• No collisions with heading encodings
• Doesn’t break JSON parsers
• Signature is binary
• Take binary data and convert into this common character set

Base64 basics

• 1 character, 64 different permutations
• 6 bytes with 4 characters
• When encrypting, keep in mind going from 6 bytes to 8 bytes increases size of data by 33%

Structure

Start with Base64 string

3 parts:

• header
• payload
• signature

<header>.<payload>.<signature>

Example - period delimited JWT with Base64:

{"typ": "JWT", "alg": "HS256"}.{"aud": "learn", foo": "bar"}.<signature> (signature is a binary string)

• Signed with key and algorithm (ex. HS256)
• Public and private claims
• Private claims are registered (ex. expiry)

General Concerns

• Don’t use JWTs for sensitive information
• Don’t use JWTs as a session replacement [post]

2Learn and JWTs

There are public JWT Devise strategies.

We didn’t use any of those because:

• Too much custom stuff in our codebase and 2U’s codebase
• Will allow us to be more flexible in response to 2U’s requests / requirements

Our custom JWT strategy (JWTAuth):

• integrated into our Rack Middleware
• flip on using env variables
• lives in front of Warden (may get moved further down the chain)
• Error config in its own yaml config file jwt_auth.yml

If you wanna play around with it, we have an example .jwt_auth_inject.yml file you can use to test settings.