1

I read that having a JWT system vs a simple token-based system eliminates token lookups in a database. But I don't get how that's possible. If it uses HMAC for a signature, doesn't the server need to look up the secret key for every client to verify their signature? Or do all clients use the same secret key? (sounds very insecure). If it uses an asymmetric algorithm, doesn't it still need to look up one of the keys to verify the signature?

Ben Aubin
  • 5,542
  • 2
  • 34
  • 54
CyberFlower
  • 21
  • 3

3 Answers3

2

In the usual scenario, the server requires the credentials to authenticate the user (i.e. user & password). If the authentication is successful, the server issues a JWT which is signed with server's private key, not by the client..

The signature protects the content and identifies the signer. Any alteration to payload or signature can be detected by the server verifying the signature and will reject the JWT . Therefore server can rely on the data included in the JWT

The server can include in the payload the claims needed for authentication, for example user id sub, exp and other claims of interest like the username, email or the authorization roles . See What to store in a JWT?. 

{
    "sub": "joe",
    "iat": 1300819370,
    "exp": 1300819380,
    "email": "joe@stackoverflow.com",
    "roles":["admin","finaluser"]
}

After verification of the signature, the server can use directly the included claims instead of query the database.

With a symmetric key (HMAC), signature and verification is done with the same key. An asymmetric key pair (RSA) is composed by a private and a public key. Signature is done with the private key and verification with the public. Use a asymmetric key when you need that the client verifyies the JWT.

Community
  • 1
  • 1
pedrofb
  • 37,271
  • 5
  • 94
  • 142
2

JWT is mainly used for Authorization. Whenever an user succeed in authenticating using his password(which need a database lookup) JWT will be created. This JWT will contain payload which will mainly contain UserIdentification. So whenever User send sub sequence request to the server he will attach this JWT to the header. Using this JWT, server will find out that this user is already authenticated. But there is still authorization is there. Let say the user has requested service A. Now we know that User is authenticated so we can go to the access control table and see whether this user is eligible to make this service call. Or if we added the user authorized service details to JWT payload at the authentication step, now we can use the payload information to make the authorization decision instead of the database look up. It depends in the developer. You can use both ways to authorize the user.

Tharsanan
  • 327
  • 2
  • 5
1

You can use the same secret key for every client. And it's secure! The client never sees your key. What JWT allows you to do is verify that the payload was signed using the secret key, and as long as it's kept secret, you'll know that only you could have signed the payload.

Ben Aubin
  • 5,542
  • 2
  • 34
  • 54
  • If the client never sees the key, how do they sign their own JWT message? Don't they need the key to sign it? Thanks – CyberFlower Jan 08 '17 at 04:18
  • @CyberFlower the entire point is to verify that the server sent something. You could then save the token in a cookie, for example. – Ben Aubin Jan 08 '17 at 15:07