JWT

JWT represents a parsed JWT (JSON Web Token) Object.

A JWT consists of three sections:

Header

The header consist of two parts:

  • declaring the type, which is JWT
  • the hashing algorithm used, e.g HMAC SHA256
An example header:
 {
  "type": "JWT",
  "alg": "HS256"
 }
 

Payload

The payload contains the data for the JWT. These are known as JWT Claims. The claims contain all the information regarding the JWT. Typically the JWT payload is in JSON format

Registered Claims

Registered claims are not mandatory but they are reserved names outline in RFC 7519, These include:

  • iss: The issuer of the token.
  • sub: The subject of the token.
  • aud: The audience of the token.
  • exp: This will define the expiration in NumericDate value. The expiration MUST be after the current date/time.
  • nbf: Defines the time before which the JWT MUST NOT be accepted for processing.
  • iat: The time the JWT was issued. Can be used to determine the age of the JWT
  • jti: Unique identifier for the JWT. Can be used to prevent the JWT from being replayed. This is helpful for a one time use token.

Public Claims

These are claims that are created, for example name, email etc..
An example payload:

 {
  "iss": "ebasetech.com",
  "exp": 1300819380,
  "name": "John Doe",
  "admin": true
 }
 

Signature The third and final part of our JSON Web Token is going to be the signature. The signature is omitted if the algorithm in the header is set to none. The signature is created by signing the concatenated base64Encoded header and payload:

Example of a HS256 signature:

 
 var encodedString = base64UrlEncode(header) + "." + base64UrlEncode(payload);
 
 HMACSHA256(encodedString, 'secret');
 

JWT Functions

getAudience JWT.getAudience( )
getClaimNames JWT.getClaimNames( )
getExpiration JWT.getExpiration( )
isExpired JWT.isExpired( )
getClaim JWT.getClaim( claimName ) Returns a claim value for a given name
getClaimArray JWT.getClaimArray( claimName ) Returns a claim array value for a given name
getIssuedAt JWT.getIssuedAt( )
getIssuer JWT.getIssuer( )
getJWTId JWT.getJWTId( )
getNotBefore JWT.getNotBefore( )
getSubject JWT.getSubject( )

JWS Functions

getHeader JWT.getHeader( ) Return the JWS header for the JWS
getPayload JWT.getPayload( ) Return payload as a string.
getSignature JWT.getSignature( ) Return the signature for the JWS or JWT
isSigned JWT.isSigned( ) Return true if the specified JWT compact string represents a signed JWS, false otherwise.
verifyFileJWKSet JWT.verifyFileJWKSet( filename ) The public RSA keys to validate the signatures will be sourced from the OAuth 2.0 server's JWK set, published at a well-known URL
verifyFromKeyStore JWT.verifyFromKeyStore( keystore , password ) Validates the signature using a specified KeyStore location and password.
verifyHMAC JWT.verifyHMAC( secret ) Verify HMAC signature with a specified SecretKey
verifyInputStreamJWKSet JWT.verifyInputStreamJWKSet( is ) The public RSA keys to validate the signatures will be sourced from the OAuth 2.0 server's JWK set, published at a well-known URL
verifyPublicKey JWT.verifyPublicKey( publickKey ) Verify RSA signature with a specified PublicKey
verifyRemoteJWKSet JWT.verifyRemoteJWKSet( url ) Verify the signature using the OAuth 2.0 server's JSON Web Key Set (JWKS) endpoint.