JWT - JSON Web Tokens

Concatenation of 3 texts.

• base64(header) + '.' + base64(payload) + '.' + base64(signature)

• signed with a HMAC or Asymmetric crypto (RSA).

header = { "alg" : "HS256", "typ" : "JWT" }
payload = {"loggedInAs" : "admin","iat" : 1422779638}
signature=HMAC-SHA256(secret,base64(header)+'.'+base64(payload))

Provide mechanisms for token refresh, limiting impact due to a lost token.

Access Token – JWT Token that authorizes the user – very limited lifespan.

• Is used in every request and has higher exposition.

Refresh Token – Random Token only to refresh Access Token.

• Only used to refresh the Access Token.

• Longer lifetime.

After all tokens expire, the authentication process must be restarted.

payload = {"loggedInAs" : "admin","iat" : 1422779638}