JWT

Web

Définition

JSON Web Token. Un format de jeton compact et sécurisé pour URL permettant de transmettre en toute sécurité des revendications entre parties sous forme d'objet JSON signé (et éventuellement chiffré). Couramment utilisé pour l'authentification et l'autorisation dans les API web.

Anatomy of a JWT

A JSON Web Token contains three Base64URL-encoded segments separated by dots: header, payload, and signature. The header declares the token type and signing algorithm (e.g., HS256 or RS256). The payload carries claims — standardized fields like iss (issuer), exp (expiration), sub (subject), plus any application-specific data. The signature ties the first two segments together, allowing any party with the correct key to verify authenticity.

Stateless Authentication

JWTs enable stateless session management. After a user authenticates via OAuthAn open authorization framework that allows third-party applications to access a user's resources without sharing their password. OAuth 2.0 is the industry standard for delegated authorization, used by Google, GitHub, and others. or a login endpoint, the server issues a signed JWT. Subsequent requests include this token in the Authorization: Bearer header. The API validates the signature and reads claims directly — no session database lookup required. This scales horizontally across MicroservicesAn architectural style that structures an application as a collection of loosely coupled, independently deployable services, each responsible for a specific business function and communicating over APIs. without shared session storage.

Security Considerations

The alg: none vulnerability — where a crafted token claims no signature is needed — must be explicitly rejected by libraries. Short expiration times (exp) minimize the damage window if a token is stolen, since JWTs cannot be revoked server-side without additional infrastructure. Sensitive data should never appear in the payload; it is encoded, not encrypted. Store JWTs in HttpOnly cookies or secure storage rather than localStorage to reduce CSPContent Security Policy. An HTTP header that specifies which sources of content (scripts, styles, images) a browser is allowed to load for a page, providing a strong defense against XSS and data injection attacks. bypass risks. Use SSL Certificate Checker to confirm your HTTPSHTTP Secure. The encrypted version of HTTP that uses TLS to protect data in transit between a browser and a web server. Identified by the padlock icon in browsers and the https:// URL scheme. transport layer is properly configured before deploying JWT-based auth.

Termes associés

Plus dans Web