What is a secret key in JWT

15
votes

I am unable to clearly grasp how JWT works, esp. the signature part.

Once a client submits correct username and password, the authentication server creates a JWT token consisting of header, payload/claims and signature.

Question 1 - Is signature some secret key (not the user's password) which only the authentication server knows (sort of a private key of the server)?

Question 2 - Say I am using a separate application server and authentication server, on receiving JWT from client, would the application server send the JWT to authentication server to get it validated? I suppose the application server cannot validate a JWT token as it doesn't know the secret key used to sign the header and payload.

Question 3 - I took the following JWT and pasted it on jwt.io. I see the message Signature Verified. How does jwt.io know that the signature is correct as it doesn't know the secret key.

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxLS9tSjVsVTNYc09QWCt2VitpaGZRMWlCUDVjUTROQm1hNDluOE9rS1FFSnEzTDFNOTl2VW9iQ1ZLUHVYMmdlWWhYaHJQM0t3bHY4SE1RaHNGdnFjbllIeGxGSHM9IiwiaXNzIjoicGxheS1zaWxob3VldHRlIiwiZXhwIjoxNTI2MjgxMDU1LCJpYXQiOjE1MjYyMzc4NTUsImp0aSI6IjhmOGM3YTVmYWRkNTE5MjUxNzQ5NGE4N2Q1ODcxZjJjZGUxZDkzMDdkOTY1MThjNjg2NzExOTc1YjU3M2I5NDBlZWU2NGY0NDUwYzcxODI3NGZmNzU1MmE2Y2JlNTVmZmZhMWI1ZjA3ZWZlOWVkNTE0Y2Y4YTViOTZlM2ExYjI0ODRmYTI5NjZiYjA0ODlmODIwZjMyMzM5YWVhNjM3NWRkZmU4ZDE4N2E2NzBjMzg0ODgwZGIyMzQ1ZTFkMzRkYWNjZmY2MTdkMDY1NzU3YmEwZTQzNDg4YWFhZmZmNDNjYWZlZGY0OTFlODU1YTA0NWM0NmJjNDY4NGYzODlmY2YifQ.GwN6TSNd426xpc3Y02eRXHbrmSr_61MMBqrmx66Ofqs

enter image description here

2
jwt

2 Answers

9
votes

Question 1 - Is signature some secret key (not the user's password) which only the authentication server knows (sort of a private key of the server)?

No, the electronic signature is a mathematical computation applied to the payload of the JWT using a secret key. The purpose is to ensure that the message has not been altered and to recognize the signer to validate the JWT

Question 2 - Say I am using a separate application server and authentication server, on receiving JWT from client, would the application server send the JWT to authentication server to get it validated? I suppose the application server cannot validate a JWT token as it doesn't know the secret key used to sign the header and payload.

Not necessarily. If a symmetric key (HMAC) is used, the signature and verification key is the same. In that case the Authorization server must know the secret key or send the token to verify. However, if an asymmetric key (RSA, ECDSA) is used, the signature key is different from the verification key. The authorization server can have a copy of the public key safely

Question 3 - I took the following JWT and pasted it on jwt.io. I see the message Signature Verified. How does jwt.io know that the signature is correct as it doesn't know the secret key.

jwt.io or anyone who wants to verify the token needs the secret key. Note that if you copy-and-paste the token in jwt.io, the signature is not verified, but if you change the secret key, the editor changes automatically the signature creating a new token at the time

1
votes

Signature is just hashing using secret key generated by authentication server, using algorithm specified in header, a combination of your header, payload, and secret

Only the authentication and/or application server knows that secret. JWT is encoded and signed, but not encrypted. to understand difference between Sign/Hash and Encryption, check this 

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

Signature just verifies or validates whether the message was already hashed before using the same kind of algorithm specified in the header with the secret that is known only by server.

To understand how it works in authenitcation, here is a flow:

  • User sign in, you send user/pass to server in an encrypted way over https
  • Server validates username/pass from your db
  • Server generates a JWT and send it back to you, The signature is used here to verify the message wasn't changed along the way.
  • Server saves the JWT somewhere in a session store.
  • Later, user requests a server (send JWT everytime it needs something from the server)
  • Server validates it using same type of hash algorithm that is in the header and secret stored in there.
  • Server checks whether it is already there in session store.
  • Servers authorizes and grants you for the request.

I would recommend you read this article that is more descriptive to better understand how it works.