Today our topic of discussion is related to JSON Web Token (JWT). There are mainly two use cases where one can use JWT:
Let's discuss the problem statement first.
A third-party application would like to interact with the target application either for
- accessing some protected resource of the target application
- executing some business logic in the target application
For performing these operations, the third-party application must be authenticated & authorized first. Now we will see the traditional way & JWT way as the solution of this problem statement.
In the traditional client-server model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner's credentials. In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party i.e. the target application's owner create a user in their system for the third-party application. But this creates several problems like:
We would be giving a glimpse of use case 1 i.e. using JWT for improving the authentication process and then move on to use case 2 i.e. using JWT for transmitting information securely between the service provider and the client so that we all have a clear understanding about the use cases of JWT.
3.1 For authentication purposes
After the initial successful authentication (either by using username and password or by other means if using OAuth), the authorization server would generate the JWT and pass it to the client. Now client would use this token in every request while accessing protected resources until the token expires.
It means one will need to authenticate only in two cases:
3.2 For secure information exchange between two parties
Let's talk about the real world use case of JWT.
Usecase 1: There is requirement that some of the RESTful services that are being developed by the enterprise would be used by 3rd parties, that means they have to be available outside of the enterprise network. Now the enterprise need to protect such services against unauthorized access and JWT is a good candidate for this scenario.
Usecase 2: Securing the APIs to makes system less vulnerable to any unauthorized access of our data and any kind of attack on the system.
Usecase 3: A partner 3rd party enterprise would like to securely exchange information like It would like to create accounts for their user, would like to fire fulfillment service or would like to access any protected resources. In this case, 3rd party enterprise could be granted JWT by the target enterprise by using Client Credential grant type workflow. Now the 3rd party app could send the JWT, typically in the Authorization header using the Bearer schema and then make a required service calls.
To make everything clear, here the sequence diagram for the JWT workflow which is self explanatory. Here,
- Client is the 3rd part App,
- Application is the Target Application
- Admin is the internal app of the Target Application
JWT provides the stateless authentication mechanism as the user state is never saved in the server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if there is, the user will be allowed as JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database.Also one could easily fully rely on data APIs that are stateless for information exchange.
Hoping that this articles would help you understand different usecases where JWT could be used and in what kind of usecases enterprises are using JWT. Happy Learning!!:-)
- For authentication purposes
- For secure information exchange between two parties
1. The Job
A third-party application would like to interact with the target application either for
- accessing some protected resource of the target application
- executing some business logic in the target application
For performing these operations, the third-party application must be authenticated & authorized first. Now we will see the traditional way & JWT way as the solution of this problem statement.
2. The Traditional Way
- Session Management
- Performance: Need to make multiple databases calls for authentication every time we log out or our session expires. Also, increase network round-trip time.
- Compromise of any third-party application results in compromise of the end user's password and all of the data protected by that password.
3. The JWT Way
We would be giving a glimpse of use case 1 i.e. using JWT for improving the authentication process and then move on to use case 2 i.e. using JWT for transmitting information securely between the service provider and the client so that we all have a clear understanding about the use cases of JWT.
3.1 For authentication purposes
After the initial successful authentication (either by using username and password or by other means if using OAuth), the authorization server would generate the JWT and pass it to the client. Now client would use this token in every request while accessing protected resources until the token expires.
It means one will need to authenticate only in two cases:
- first time to get the token and
- when token expires
3.2 For secure information exchange between two parties
Now when we say secure exchange information could happen between two parties then it's important to understand the reason behind it. It raises a very crucial question.
Q1: Is it really a secure and trusted way for information exchange?
The answer would be Yes. One could use JWT for secure information exchange because one could verify the validity of JWT
Q1: Is it really a secure and trusted way for information exchange?
The answer would be Yes. One could use JWT for secure information exchange because one could verify the validity of JWT
- whether the JWT is well-formed or not
- whether the signature is matched or not
- whether the standard claims in the JWT are as per the agreement or not
4. Real World Use Case
Let's talk about the real world use case of JWT.
Usecase 1: There is requirement that some of the RESTful services that are being developed by the enterprise would be used by 3rd parties, that means they have to be available outside of the enterprise network. Now the enterprise need to protect such services against unauthorized access and JWT is a good candidate for this scenario.
Usecase 2: Securing the APIs to makes system less vulnerable to any unauthorized access of our data and any kind of attack on the system.
Usecase 3: A partner 3rd party enterprise would like to securely exchange information like It would like to create accounts for their user, would like to fire fulfillment service or would like to access any protected resources. In this case, 3rd party enterprise could be granted JWT by the target enterprise by using Client Credential grant type workflow. Now the 3rd party app could send the JWT, typically in the Authorization header using the Bearer schema and then make a required service calls.
5. JWT Flow: Sequence Diagram
To make everything clear, here the sequence diagram for the JWT workflow which is self explanatory. Here,
- Client is the 3rd part App,
- Application is the Target Application
- Admin is the internal app of the Target Application
6. Conclusion
JWT provides the stateless authentication mechanism as the user state is never saved in the server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if there is, the user will be allowed as JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database.Also one could easily fully rely on data APIs that are stateless for information exchange.
Hoping that this articles would help you understand different usecases where JWT could be used and in what kind of usecases enterprises are using JWT. Happy Learning!!:-)
