LLMpediaThe first transparent, open encyclopedia generated by LLMs

JWT

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: WPP plc Hop 4
Expansion Funnel Raw 66 → Dedup 6 → NER 5 → Enqueued 4
1. Extracted66
2. After dedup6 (None)
3. After NER5 (None)
Rejected: 1 (not NE: 1)
4. Enqueued4 (None)
Similarity rejected: 1
JWT
NameJSON Web Token
AbbreviationJWT
Introduced2010s
StandardIETF
RelatedOAuth 2.0, OpenID Connect, JSON

JWT is a compact, URL-safe method for representing claims between parties using a JSON-based data structure and cryptographic techniques. It is commonly used for authentication, authorization, and information exchange across distributed systems, web applications, and APIs. The format facilitates interoperable token exchange among implementations from vendors, open-source projects, and standards bodies.

Overview

JSON Web Token emerged in the context of efforts from the IETF and related working groups to standardize secure token formats compatible with HTTP ecosystems such as REST APIs and single-page applications. Implementations often integrate with identity frameworks like OAuth 2.0 and OpenID Connect and with identity providers such as Auth0, Okta, Microsoft Azure Active Directory, Google Identity Platform, and AWS Cognito. Large-scale deployments occur in enterprises using platforms from Red Hat, IBM, Oracle, and cloud providers like Amazon Web Services and Microsoft Azure.

Structure and Components

A token consists of three base64url-encoded parts separated by periods: a header, a payload, and a signature. The header indicates the cryptographic algorithm, commonly algorithms defined by IETF specifications such as JSON Web Algorithms; typical algorithm identifiers include HS256, RS256, and ES256. The payload contains "claims" — registered claim names like iss, sub, aud, exp, nbf, iat, and jti — and custom claims used by applications and services from vendors like Salesforce, GitHub, Twitter, and Facebook. The signature provides integrity and authenticity using symmetric keys (e.g., HMAC) or asymmetric keys (e.g., RSA, ECDSA) published in formats such as those used by X.509 and RFC 7515-compatible key stores.

Key management often relies on discovery and metadata endpoints specified by federated protocols such as OpenID Connect Discovery. Public keys may be published in JSON Web Key Sets (JWKS) retrievable from identity providers like Keycloak or Ping Identity. Implementations in libraries for languages maintained by groups such as the Python Software Foundation, Node.js Foundation, Eclipse Foundation, and Apache Software Foundation provide parsing, validation, and cryptographic support.

Signing, Encryption, and Security Considerations

JWT supports both signing (JWS) and encryption (JWE) layers defined in RFC 7515 and RFC 7516. Signed tokens assure origin and integrity; encrypted tokens provide confidentiality, layering well with transport security like TLS used by Let’s Encrypt-certified endpoints. Choice of algorithm impacts security posture: modern deployments favor asymmetric algorithms described by IETF and curves standardized by bodies such as SECG and NIST. Misconfiguration risks arise with algorithms like "none" or when libraries improperly accept algorithm substitution, an issue discussed in security advisories from vendors including Cloudflare and Synopsys. Token lifetime, audience restrictions, issuer verification, clock skew handling, and revocation strategies (e.g., token blacklists or short-lived tokens with refresh via OAuth 2.0 refresh tokens) are critical controls promoted in guidance from organizations such as OWASP and CISA.

Use Cases and Implementation

Adoption spans mobile applications distributed via Apple App Store and Google Play, microservices architectures orchestrated by Kubernetes, and serverless functions on AWS Lambda and Google Cloud Functions. In federated identity, tokens issued by providers like Auth0 and Okta enable single sign-on with service providers including Salesforce and Workday. API gateways from NGINX, Kong, and Tyk validate tokens for access control, while applications using frameworks such as Spring Framework, Django, Express.js, and Ruby on Rails parse claims for authorization decisions. Interoperability with standards like SAML and SCIM often requires mapping between claim sets and assertions.

Vulnerabilities and Attacks

Well-known vulnerabilities include algorithm confusion, key confusion, and implementation flaws in libraries. Attackers have exploited misconfigured algorithm handling, leading to signature bypasses reported in advisories by CERT teams and security researchers from Google Project Zero and Trail of Bits. Replay attacks and token theft are common in scenarios lacking secure storage or transport protections; mitigations include binding tokens to clients with techniques like Proof-of-Possession (PoP) or mutual TLS described in RFC 8705. Cross-site attacks in browsers and insecure storage on mobile devices have been documented by researchers at Stanford University, University of California, Berkeley, and industry labs at NIST and MITRE.

Standards and Interoperability

The token format and associated processing rules are specified in a suite of IETF RFCs and extensions: RFC 7519 defines the core token, RFC 7515 and RFC 7516 cover signing and encryption, while companion specs such as JSON Web Key and JSON Web Algorithms enumerate keys and algorithms. Interoperability testing and conformance profiles have been advanced by consortia like the OpenID Foundation, Cloud Native Computing Foundation, and industry initiatives such as FIDO Alliance for authentication. Implementers often consult security guidance from OWASP and standards updates published by IETF working groups to maintain compatibility across libraries and identity providers.

Category:Computer security