JSON Web Token (JWT) In Layman Terms

Introduction

This concept Access Token and JWT (JSON Web Token) is widely used in modern authentication with strong security for authentication and authorization of the application. Let us try to understand this concept in our common real-time scenario. For understanding in deep, I would recommend going through references.

Going to Movie

Let us consider a scenario where you are going to watch a movie in a theater. For that, you need to do the following in general,

  • Register your name in booking portal
  • Select the movie and show time and date
  • Make the payment
  • On success a mobile ticket or printed ticket issued by an authorized booking agency is mailed to you.
  • This ticket is required for you to enter the theater and watch the movie.
  • This movie ticket generally contains following,
    1. Date and Time of show
    2. Movie Name
    3. Name of the person who booked the ticket
    4. Theater Name where the show will be hosted

After the show is completed the ticket becomes invalid and expired and you can’t use it for anything else.

What exactly is JWT?

The JWT (JSON web Token) exactly works in the same way. This is most widely used in modern authentication using OAuth. Access token will be used for following,

  • Authentication (who you are)
  • Authorization (what can you do)

When you try to login to application if that application is using OAuth, usually you will be navigated to following steps in general

  • User will be asked to authenticate. When using MSFT identity it navigates to https://login.microsoftonline.com
  • User will be entering the credentials and after for additional security a pop-up or security code will be generated to registered mobile device.
  • On success, user will be provided an access token which is also referred as JSON web token which is used to do the required actions using the signed in application with defined scope of permissions.
  • After the operation is completed and the application is closed, the JSON Web Token will be expired in general and on new sign-in a fresh access token (a new JWT) will be generated.

In Microsoft Identity an access token which is in the form of JWT is issued by authentication server, in M365 usually it is your Azure AD. It contains the following.

  • Aud: audience of the token a.k.a app identifier
  • appID: the application ID
  • iss: issuer of the token. Usually in the URI format https://sts.windows.net/69271346-cb42-4bcd-b645-338c738cb57e/
  • iat: Issued at date and time
  • nbf: not before, start datetime of validity in UNIX epoch time
  • exp: expiration datetime
  • scp: Service Principal Permissions
  • tid: Tenant ID

Conclusion

In conclusion, we have seen what a JWT is and how this is being used in modern authentication using OAUTH.

References