Jump to content

JSON Web Token

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Cloud200 (talk | contribs) at 16:35, 8 May 2015 (new article). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

JSON Web Token (JWT) is a JSON-based open standard for passing claims between parties in web application environment. The tokens are designed to be URL-safe and usable especially in web browser single sign-on (SSO) scenarios. JWT claims can be typically used to pass identity of authenticated users between an identity provider and a service provider, or any other type of claims as required by business processes. The tokens can also be authenticated and encrypted.

Structure

The following example token, issued by Identity Provider, states that John Doe is an administrator:

{ "iss": "Identity Provider", "name": "John Doe", "admin": true }

A claim can be sent with a authentication header, declaring a cryptographic message authentication code (HMAC with SHA256 in the following example):

{ "typ":"JWT", "alg":"HS256" }

After canonicalization both structures is encoded as BASE64 and the declared message authentication code is calculated over the encoded string. The output is three BASE64 strings separated by dots that can be easily passed in HTML and HTTP environments, while being more compact compared to XML-based standards such as SAML.

Retrieved from "https://en.wikipedia.org/w/index.php?title=JSON_Web_Token&oldid=661432912"