Friday, July 10, 2020

JSON Web Token (JWT) Use Case: Secure Information Exchange Between Two Parties

Today our topic of discussion is related to JSON Web Token (JWT). There are mainly two use cases where one can use JWT:
  1. For authentication purposes 
  2. For secure information exchange between two parties 
Out of these two use cases, we would be discussing the second use case today. Although it's not the most usable or most common scenario for using JWT, it offer's a great way for interaction between 3rd party applications/clients and the target application where the target application doesn't want to persist any user-related data corresponding to 3rd party clients in their end. If you are thinking, how come then target application would identify or authenticate the 3rd party clients then you are on the right track, we would be touching this in a while. Please stay with me for a little longer. Apart from this, We would also provide some practical industry standard use-cases of JWT and explain a generic JWT flow using sequence diagram.

1. The Job


Let's discuss the problem statement first.
A third-party application would like to interact with the target application either for
- accessing some protected resource of the target application
- executing some business logic in the target application
For performing these operations, the third-party application must be authenticated & authorized first. Now we will see the traditional way & JWT way as the solution of this problem statement.

2. The Traditional Way 


In the traditional client-server model, the client requests an access-restricted resource (protected resource) on the server by authenticating with the server using the resource owner's credentials.  In order to provide third-party applications access to restricted resources, the resource owner shares its credentials with the third party i.e. the target application's owner create a user in their system for the third-party application. But this creates several problems like:
  • Session Management
  • Performance: Need to make multiple databases calls for authentication every time we log out or our session expires. Also, increase network round-trip time. 
  • Compromise of any third-party application results in compromise of the end user's password and all of the data protected by that password.
The burning question is "How can we avoid these problems then"?  The answer is by using a token-based authentication system. JWT allows the server to verify the information contained in the JWT without necessarily storing state on the server.

3. The JWT Way 


We would be giving a glimpse of use case 1 i.e. using JWT for improving the authentication process and then move on to use case 2 i.e. using JWT for transmitting information securely between the service provider and the client so that we all have a clear understanding about the use cases of JWT.

3.1 For authentication purposes 

After the initial successful authentication (either by using username and password or by other means if using OAuth), the authorization server would generate the JWT and pass it to the client. Now client would use this token in every request while accessing protected resources until the token expires.
It means one will need to authenticate only in two cases:
  • first time to get the token and
  • when token expires
The service provider only cares about the token and it's validity. If the received token is valid then access is granted to the client.

3.2 For secure information exchange between two parties 

Now when we say secure exchange information could happen between two parties then it's important to understand the reason behind it. It raises a very crucial question.
Q1: Is it really a secure and trusted way for information exchange?
The answer would be Yes. One could use JWT for secure information exchange because one could verify the validity of JWT
  • whether the JWT is well-formed or not 
  • whether the signature is matched or not 
  • whether the standard claims in the JWT are as per the agreement or not
Accessibility of secured resources or information exchange between two parties is allowed only if it has passed the validity checks of JWT. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

4. Real World Use Case 


Let's talk about the real world use case of JWT.

Usecase 1: There is requirement that some of the RESTful services that are being developed by the enterprise would be used by 3rd parties, that means they have to be available outside of the enterprise network. Now the enterprise need to protect such services against unauthorized access and JWT is a good candidate for this scenario.

Usecase 2: Securing the APIs to makes system less vulnerable to any unauthorized access of our data and any kind of attack on the system.

Usecase 3: A partner 3rd party enterprise would like to securely exchange information like It would like to create accounts for their user, would like to fire fulfillment service or would like to access any protected resources. In this case, 3rd party enterprise could be granted JWT by the target enterprise by using Client Credential grant type workflow. Now the 3rd party app could send the JWT, typically in the Authorization header using the Bearer schema and then make a required service calls.

5. JWT Flow: Sequence Diagram


To make everything clear, here the sequence diagram for the JWT workflow which is self explanatory. Here,
- Client is the 3rd part App,
- Application is the Target Application
- Admin is the internal app of the Target Application


6. Conclusion


JWT provides the stateless authentication mechanism as the user state is never saved in the server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if there is, the user will be allowed as JWTs are self-contained, all the necessary information is there, reducing the need of going back and forward to the database.Also one could easily fully rely on data APIs that are stateless for information exchange.

Hoping that this articles would help you understand different usecases where JWT could be used and in what kind of usecases enterprises are using JWT. Happy Learning!!:-)