20241016 1:24:55 AM

skywarth · Oct 16, 2024 · beabafc · beabafc
1 parent 91ea58d
commit beabafc
Showing 1 changed file with 45 additions and 0 deletions.
diff --git a/docs/information-technology/security/topics/token/JWT.md b/docs/information-technology/security/topics/token/JWT.md
@@ -11,6 +11,9 @@
 	- Public/private key pair like in any asymmetric cryptography algorithm
 		- RSA
 		- ECDSA
+- **JWT doesn't offer data privacy. Anyone and everyone can read and parse the data transmitted, no matter the algorithm nor the secret for signature.**
+	- If you ever need to send sensitive information in the JWT payload, make sure it is encrypted
+	- Assume that everyone will see the contents of the payload
 
 ## Application areas
 
@@ -25,6 +28,48 @@
 - Signing helps with identifying the other party, and making sure they are who they claim to be
 - Header and signature is used for verifying the contents of the payload against any tempering and alteration during the transfer
 
+## Structure
+
+Consisting of three parts:
+- [[#Header]]
+- Payload
+- Signature
+
+- Each part is separated by `.`, example: `xxxxx.yyyyy.zzzzz`
+
+### Header
+
+Usually consists of two parts:
+- Token type: `JWT`
+- And the signing algorithm being used for this token. E.g: `SHA256`, `RSA`, `HMAC`
+
+```
+{
+  "alg": "HS256",
+  "typ": "JWT"
+}
+```
+
+Above is the JSON format of it, it is later encoded with Base64Url to be turned into a stream of string, so it can be used in the first part of the string.
+
+### Payload
+
+The actual payload, the data you want to transmit. It contains **claims**. In JWT, **claims** are statements about the entity in question, usually this is the user. 
+
+There are three types of claims:
+- Registered: Standard, recommended for interoperability
+- Public: [IANA JSON Web Token Registry](https://www.iana.org/assignments/jwt/jwt.xhtml)
+- Private: custom data
+
+Payload is JSON, and is also encoded with Base64Url to be converted into a line string
+
+### Signature
+
+Last section of the encoded JWT token string. 
+
+Signature is created by merging the encoded header and payload, joining them with `.` as usual, then you need a secret (private), and need to choose a encryption algorithm. Then you sign it with that algorithm.
+
+Since the receiver can easily decode the header section (after verifying the JWT structure, which is recommended), the receiver knows which algorithm is used for the signing process. This way it can be verified.
 
 ## Resources